Skip to main content
Mallory
Back to threat actors
🇨🇳 CN3 malware families

VerdantBamboo

Also known asverdantbamboo
Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics34 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1133
External Remote Services
TA0002
Execution
2 techniques
T1053
Scheduled Task/Job
T1053.003
Cron
T1059
Command and Scripting Interpreter
T1059.004
Unix Shell
TA0003
Persistence
5 techniques
T1053
Scheduled Task/Job
T1053.003
Cron
T1078
Valid Accounts
T1133
External Remote Services
T1543
Create or Modify System Process
T1556
Modify Authentication Process
TA0004
Privilege Escalation
5 techniques
T1053
Scheduled Task/Job
T1053.003
Cron
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1543
Create or Modify System Process
T1548
Abuse Elevation Control Mechanism
T1548.003
Sudo and Sudo Caching
TA0005
Stealth
2 techniques
T1070
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
TA0112
Defense Impairment
1 technique
T1556
Modify Authentication Process
TA0006
Credential Access
1 technique
T1556
Modify Authentication Process
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.004
SSH
T1570
Lateral Tool Transfer
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090
Proxy
T1090.001
Internal Proxy
T1105
Ingress Tool Transfer
T1568
Dynamic Resolution
T1573
Encrypted Channel
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AGENTPSDAGENTPSD , a malware family written in Python that was deployed to Linux systems... AGENTPSD is a basic reverse shell utility written in Python and packaged into a native binary using PyInstaller.1Jun 4, 2026
BRICKSTORMThe suspicious connections observed were the result of a malware implant known as BRICKSTORM... BRICKSTORM , a Golang-based remote access trojan (RAT).1Jun 4, 2026
PLENETVolexity identified two previously undocumented (at the time of discovery) malware families: PLENET , a malware family written in .NET Core and compiled to native code using the Native AOT features added in .NET 7. The analyzed sample was written for Linux target systems. This malware was referred to as “GRIMBOLT” by Google Cloud.1Jun 4, 2026
IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

1 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.