China Hackers Deploy BSD Backdoor on Linux Systems

Emily Davis · 2026-06-08

A China-linked cyber espionage group has been spotted using a new variant of a known backdoor called BRICKSTORM, along with two other malware families, to target Linux systems. The group, tracked as VerdantBamboo by Volexity, is also known as Clay Typhoon by Microsoft. This activity highlights the ongoing threat to Linux appliances, which are often considered more secure than Windows systems but are increasingly targeted by sophisticated attackers. ### What Is VerdantBamboo? VerdantBamboo is a threat cluster believed to be based in China. They've been active for years, focusing on espionage against government and tech organizations. Their recent shift to target Linux systems shows they're adapting to the security landscape. Many critical infrastructure systems run on Linux, making them a high-value target. ### The Malware Arsenal The group deployed three main malware families: - **BRICKSTORM**: A backdoor that gives attackers remote control over infected systems. The new BSD variant runs on FreeBSD-based systems. - **PLENET (aka GRIMBOLT)**: A stealthy backdoor that uses encrypted communication to avoid detection. - **AGENTPSD**: A credential-stealing tool that targets password databases and configuration files. These tools work together to gain initial access, maintain persistence, and steal sensitive data. ### Why Linux Systems Are at Risk Linux powers most servers, cloud infrastructure, and Internet of Things devices. Many organizations assume Linux is immune to malware, but that's a dangerous myth. Attackers like VerdantBamboo are investing in Linux-specific tools because they know where the valuable data lives. The use of a BSD variant of BRICKSTORM is particularly worrying because BSD systems are common in network appliances like firewalls and routers. ### How to Protect Your Systems - **Keep software updated**: Patch vulnerabilities in Linux kernels and applications regularly. - **Monitor network traffic**: Look for unusual outbound connections or encrypted traffic to unknown IPs. - **Use strong authentication**: Implement multi-factor authentication for critical systems. - **Segment networks**: Limit lateral movement by isolating sensitive systems from general networks. - **Deploy endpoint detection**: Use tools that can detect backdoors like BRICKSTORM. > "The shift to Linux-specific malware shows attackers are following the data, not the hype." — Emily Davis ### The Bigger Picture This isn't just about one group. It's a reminder that cyber threats evolve constantly. As more organizations move to cloud and Linux-based environments, we'll likely see more sophisticated attacks targeting these platforms. The best defense is a proactive security posture that assumes you're already a target. Stay vigilant, keep learning, and don't assume your systems are safe just because they're not Windows. The threat landscape is changing, and you need to change with it.