Earlier this year Nieman Lab broke the story that major news publishers, including The New York Times, The Guardian, and USA Today Co., had started blocking the Internet Archive for fear that AI companies might scrape the nonprofit’s repositories for training data. As one of the last bastions of archival history, that is, in case you’re not aware, not very good for the public interest.
Four months later and Nieman Lab now notes that the number of news outlets blocking the archive has soared to around 340 organizations:
“Our new analysis shows that more than 340 local news sites across the United States are now limiting the Internet Archive’s ability to access and preserve their stories. Many sites in our sample are owned by five of the seven largest local news publishers in the country: USA Today Co., McClatchy, Advance Local, MediaNews Group, and Tribune Publishing. The latter two are both subsidiaries of the “vulture hedge fund” Alden Global Capital.”
Many of these localities are already effectively news deserts, where most real local journalism was hollowed out and replaced by a smattering of local right wing broadcasters (like Sinclair Broadcasting) or a hedge fund run “local newspaper” that doesn’t do much in the way of actual local reporting. That’s generally also been terrible for informed consensus or shedding a light on local corruption.
Some of the outlets blocking internet archive access have legitimate concerns about protecting their hard work from being repackaged and resold without compensation or citation. But an awful lot of the folks grumbling about the Internet Archive were never in the journalism business to serve the public interest in the first place.
Advertisement
Regardless of motivation, hiding whatever local news remains behind paywalls, then blocking it from the Internet Archive, in turn makes it harder for everyone else to do real journalism that relies on the historical record, local journalists tell Nieman Lab:
“I cover news within a larger news desert in New York’s Rockland, Sullivan, and Rockland counties. This means I need to heavily rely on archival data of old news articles from now deceased, or zombie-fied, media outlets,” wrote B.J. Mendelson, the editor of The Monroe Gazette newsletter, in one recent petition signed by over 200 journalists. “Without the Internet Archive, my [work] would be incredibly difficult to do.”
But even beyond AI scraping, many corporate media owners simply can’t see beyond the narrow interests of paywalled revenue. And corporate power — and authoritarianism — sometimes in collaboration — both tend to benefit from a misinformed electorate that doesn’t have a firm grip on the lessons learned from historical experience, and doesn’t have easy access to the factual record.
As a journalist of several decades, the vast vast majority of my work has been deleted by website owners and companies that simply couldn’t have cared any less about archival history or any sort of permanent record. My explorations of telecom policy have disappeared, but Verizon, AT&T, and Comcast’s version of the historical record generally remains. You can probably see how that’s of benefit to corporate power.
Advertisement
But again, smaller, independent, local news outlets on fixed budgets have particularly legitimate concerns about the tech giants’ plan to hijack and repackage the entirety of their work using AI without any compensation or attribution whatsoever. The Internet Archive folks say they are listening to those concerns, while also trying to train news orgs on archival preservation:
“In December, the Internet Archive partnered with the Poynter Institute and Investigative Reporters and Editors to train a cohort of 33 local and national news outlets on how to develop and implement an archiving strategy. The initiative, funded through a Press Forward grant, aims to train 300 newsrooms in digital preservation and in using the Internet Archive’s services by the end of 2027.”
Some other archival efforts exist, but they often involve paywalled access; again a problem when you’ve got an authoritarian corporate coalition driven heavily by free propaganda, while factual reality and what’s left of intelligent U.S. analysis and journalism sits hidden behind a monthly subscription fee.
— After 28 years at Microsoft, Rohan Kumaris heading to Salesforce as president and chief platform officer, based out of the San Francisco company’s Bellevue, Wash., offices.
The rise of automated AI agents is “reshaping how every company thinks about work, software, data, productivity and customer relationships,” Kumar said on LinkedIn, adding that Salesforce is well positioned to harness the technology for better workflows.
Kumar most recently held the role of corporate vice president of Microsoft Security (see the next Tech Moves item for his successor). Previous positions included CVP of Azure Data and leadership roles in SQL Server, the company’s database management system.
Naseem Tuffaha. (LinkedIn Photo)
— Naseem Tuffahais back at Microsoft as CVP of Microsoft Security, stepping into the role vacated by Kumar. Tuffaha spent nearly two decades at the Redmond, Wash., tech giant before departing in 2022 for The Trade Desk and then Pearson, where he served as chief business officer for more than a year.
During his previous Microsoft tenure, Tuffaha held wide-ranging roles including VP of sales for a suite of products including Office 365 and Teams, along with oversight of marketing and operations across the Middle East and Africa.
Away from Microsoft, Tuffaha said he gained firsthand experience navigating the secure implementation of AI solutions — and now wants to improve that process. Microsoft is well-positioned “to make security easier to adopt, easier to use, and easier to trust,” he added.
Advertisement
Graham Sheldon. (LinkedIn Photo)
— Graham Sheldon is now at Docusign as chief product officer, departing his CPO role at UiPath. The Seattle-area executive spent 20 years at Microsoft before joining UiPath in 2022.
He left Microsoft as CVP of product for Teams and served as technical advisor to Satya Nadella back when Nadella was in CVP and SVP roles — before his ascent to CEO. Sheldon also held an engineering manager role in dynamics applied research.
On LinkedIn, Sheldon cited Docusign’s track record of trust across the industry and said he’s excited to work on “the next frontier of agreement innovation” at the San Francisco-based company.
Hannah McClellan. (LinkedIn Photo)
— Hannah McClellan, VP of Amazon Pharmacy Operations, is leaving the company after more than 15 years. During her tenure she served as chief of staff to the CEO of Worldwide Amazon Stores and held roles spanning retail automation, Amazon Freight and Amazon Fresh.
“We are grateful to Hannah for all of her contributions to Amazon and our customers, and wish her the best in her next endeavor,” a company spokesperson said. McClellan has not announced her next move.
Gurinder Raju. (LinkedIn Photo)
— Gurinder Raju is departing Amazon after more than 18 years. Most recently general manager of Amazon WorkSpaces for AWS, he previously worked on Webstore, a now-discontinued e-commerce platform for independent sellers.
On LinkedIn, Raju reflected on “owning and growing WorkSpaces into a recognized leader” and the colleagues he’s worked alongside. His summer plans include time with family and his dog, travel and indulging his “love of computer science.” Come late summer, he added, “I’ll turn my attention to what’s next. If you feel compelled to share a suggestion or idea, or want to hear mine, feel free to ping me.”
Advertisement
Kate Coelho. (LinkedIn Photo)
— Kate Coelho has joined Microsoft as director of AI Transformation Change, coming over from ServiceNow where she led AI adoption in customer service and support. Previous stops include Equinix, Point B and Infosys.
“We are already in a new era of work, and Microsoft is helping shape how it continues to unfold,” Coelho said on LinkedIn. “And I get to help with the human side of that transformation. Because technology alone doesn’t change organizations. People do.”
— Chris Grusz has left Amazon after a decade, resigning from the role of managing director of technology partnerships for AWS. He was previously at IBM as director of sales.
In a LinkedIn post, Grusz said that Amazon’s “learn and be curious” principal helped change his career mindset, pushing him to take risks and embrace reinvention. Grusz did not share his new role, but said that while he’s departing from AWS, he’s not going far.
Tanya Chen. (LinkedIn Photo)
— Tanya Chen is now at OpenAI as a member of technical staff, joining the company from Atlassian where she spent three years as senior VP of engineering. The Seattle-area executive has also worked at Meta and Microsoft.
Chen described her OpenAI onboarding as “a whirlwind of rapid learning” and said she was “energized to dive in together and build next-generation products at the edge of frontier AI.”
Advertisement
— Fred Hutch Cancer Center promoted Nida Shekhani to a newly created role of executive VP and chief strategy and clinical growth officer. She previously served in a deputy capacity and has been with the Seattle organization for nearly three years, joining from UChicago Medicine.
— Seattle-based shipping tech startup Shipium has promoted David Panitz to chief revenue officer. He joined in 2023 as senior VP of sales and is based in Ohio.
“(Panitz) helped us redefine what kind of company Shipium is, and is the right person to guide our massive growth journey ahead,” CEO Jason Murray said. Shipium launched in 2019 and is No. 117 on the GeekWire 200, a ranked index of the Pacific Northwest’s top startups.
— Matt Wargon has joined Everett-based fusion startup Zap Energy as a senior nuclear engineer. He comes from neighboring nuclear energy company TerraPower, where he spent more than eight years. Zap, which recently announced an expansion into traditional nuclear fission, ranks No. 13 on the GeekWire 200.
Advertisement
— Alaska Air Group, parent company of Alaska and Hawaiian airlines, has appointed Mike Sievert to its board of directors. Sievert is the former CEO of T-Mobile and currently serves as vice chairman of the board at the Bellevue, Wash.-based telecom giant.
— Bothell, Wash.-based biotech Cocrystal Pharma has namedJames Sapirstein as its new CEO, succeeding co-CEOs Sam Lee and Jim Martin. Lee, a Cocrystal co-founder, will continue as president and move into the chief scientific officer role, while Martin transitions to chief financial officer. Sapirstein brings a long biotech resume, with past CEO stints at Contravir Pharmaceuticals and Tobira Therapeutics.
— NuScale Power appointed two new members to its board of directors: mining executive Stuart Harshaw and Dale Klein, an engineering professor emeritus at the University of Texas. The Corvallis, Ore.-based company is developing small modular nuclear reactors.
— And in case you missed it: LinkedIn co-founder Reid Hoffman, who has served on Microsoft’s board since 2017, will not stand for re-election at the company’s 2026 annual meeting. Read GeekWire’s full coverage here.
Although no longer so common as during the heyday of the RepRap movement, it’s easier than ever to build your own largely-printed 3D printer, with designs such as Voron’s delivering excellent quality. Nevertheless, there are still niches to be filled by new designs, such as [Alex Yu]’s mostly-printed Encore design.
The Encore uses CoreXY kinematics and linear rails for the X and Y axes. Its has no internal frame; the linear rails are mounted directly to the side panels, which were printed but provided sufficient rigidity. The printer is modular, and all the parts are designed to fit within a 225 mm print bed. The Encore itself uses a 120 mm bed, a Bowden extruder, and a lightweight Bambu-style hotend. The drive motors are NEMA 17 stepper motors, and they use sliding mounts for belt tensioning. The power supply sits behind the rods supporting the Z axis, and the controller board is in the base of the printer.
Building the printer was simple; tuning it, less so. The combination of a Bambu-type hotend with a Bowden extruder created some complications, and the hotend initially received too little cooling. [Alex] solved the cooling issues by using a stronger fan on the hotend, redesigning the ventilation shroud, and adding two inward-blowing fans along the sides of the build volume. After correcting some issues with Z-axis stability, the Encore produced some quite good-looking parts. [Alex] is still improving and documenting some aspects of the printer, but he’s uploaded his progress so far to GitHub.
After 50 years of searching, astronomers say they have finally found evidence of a long-sought “wind” blowing from Sagittarius A*, the supermassive black hole at the center of the Milky Way. “Unless a black hole exists in a perfect vacuum, it must blow a wind somehow. And there is no perfect vacuum in the universe,” team co-leader and Northwestern University researcher Mark Gorski said in a statement. “With new observations, this is the first time we’ve had a clean enough view to see the wind’s imprint. We looked at the data and said, ‘There it is. There is the thing that everybody’s been looking for for 50 years.’” Space.com reports: Scientists have been aware for some time that feeding black holes launch powerful outflows of material around them, including jets and winds. Winds are caused when matter falling to the black hole is accelerated to near light-speed, generating pressure that pushes infalling material away. That has been seen with ravenously feeding black holes before, but not the barely feeding Sgr A*. Its sparse consumption of material and the fact it is obscured by the plane of the Milky Way from our vantage point have made tracing this wind difficult.
Gorski’s Northwestern colleague and team co-leader Lena Murchikova pointed out that the scientists were the first to detect molecular gas very close to Sgr A* feeding the supermassive black hole. That makes Sgr A* reassuringly like other supermassive black holes. “The wind is not powerful, and its direction probably wanders with time. It shows that our black hole is not unique, and our place in the universe is not unique,” Murchikova added. “To observe our own black hole, we have to look through the plane of our galaxy. That means we have to peer through gas, dust and ionized structures, and you can’t really see through all of that easily.”
While the team’s results confirm that Sgr A* is extremely quiet compared to the supermassive black holes that sit in bright, turbulent regions of other galaxies called active galactic nuclei (AGN), this black hole wind is no slouch. In fact, the scientists think that it has been raging for around 20,000 years. “The majority of other galaxies spend most of their lives in a state where they are not particularly active,” Murchikova said. “But we can only see them when they are in a fireworks stage. It is very attractive to study black holes when they are in the fireworks stage, but that’s not actually their dominant state. “Sgr A* finally gives us a window into the life of a black hole in this quiet state.”
The team’s research was published in The Astrophysical Journal Letters.
A team of researchers at Georgia Tech has developed a new smartphone-based system that could dramatically simplify how people interact with robots. Called COBALT, the platform allows users with little to no computing experience to remotely control robot arms from virtually anywhere in the world using just a phone and an internet connection.
The project, developed at Georgia Tech’s People, AI & Robotics (PAIR) Lab, transforms smartphones into motion controllers for robotic arms. Users simply move their phones in different directions, and the robot mirrors those movements in real time. Basic tasks such as grabbing, moving, and releasing objects can be performed through simple on-screen controls, making the experience feel more like playing a mobile game than operating industrial machinery.
Ayush Agarwal, a Ph.D. student in Georgia Tech’s School of Interactive Computing who leads the COBALT research team, said the system was intentionally designed to make robotics accessible to beginners rather than experts. During testing, participants from countries including India, Indonesia, and Pakistan remotely controlled robot arms located inside Georgia Tech’s lab despite having no prior robotics experience.
Researchers believe crowdsourcing could shape the future of robotics
The broader goal behind COBALT extends beyond convenience. Researchers believe the platform could solve one of robotics’ biggest challenges: collecting enough real-world training data to improve AI-powered robotic systems.
Advertisement
Modern robots require enormous amounts of policy training data to learn how to perform physical tasks reliably. According to Assistant Professor Animesh Garg, who directs the PAIR Lab, simulation alone is not enough to train robots for large-scale deployment. Instead, researchers envision a crowdsourced network where millions of smartphone users passively contribute operational data by remotely interacting with robots.
Representative ImageUnsplash
Garg compared the idea to tapping into the nearly five billion smartphone users worldwide. By lowering the barrier to entry, the team hopes to create a scalable global system capable of accelerating robotic learning and automation.
The technology could also have major educational implications. Georgia Tech researchers recently demonstrated COBALT to students from Midtown High School in Atlanta, allowing them to remotely operate robot arms using smartphones. The simplicity of the interface could make robotics education more accessible in classrooms without expensive equipment or specialized hardware.
A future “gig economy” for robots may not be far away
The researchers also believe COBALT could eventually support entirely new forms of remote work. Garg described the possibility of a robot-powered gig economy where people remotely operate assistive robots in homes, warehouses, or factories from anywhere in the world.
In practical terms, that could mean a factory robot autonomously handles most tasks but requests human assistance when it encounters a difficult situation. Instead of requiring on-site workers, remote operators could briefly take control through their phones before handing the operation back to the AI system.
Advertisement
Nadeem Sarwar / Digital Trends
Agarwal said user studies showed smartphones were preferred over VR headsets, keyboards, or traditional controllers because they felt more intuitive while still providing high-quality control data. The system also minimizes latency by using WebRTC technology, similar to platforms like Zoom and Google Meet, ensuring that robot movements and live video streams remain responsive even across long distances.
The research paper on COBALT is being presented this week at the IEEE International Conference on Robotics and Automation in Vienna, where the team is showcasing not just the technology itself, but the large-scale remote operation network built around it.
Tesla has officially pushed back the public debut of its next-generation Roadster to August or later this year. The engineers are still ironing out the bugs in the cold gas thruster kit that they are creating with SpaceX. The event is expected to take place in Texas, and it will be Tesla’s first full-fledged vehicle showcase since the Cybercab presentation in 2024.
Apparently, an early version of the thruster system arrived at Elon Musk’s desk for review in late April. Cold gas thrusters are intended to give the Roadster greater power, faster acceleration, tighter handling, and better braking, all due to how the gas flows out of those specific nozzles. According to the desired performance criteria, once all cylinders are running, a zero-to-sixty run should be doable in roughly a second. The limited edition SpaceX vehicle will apparently include a plethora of thrusters spread throughout, ten in total, plus the fuel to power them, all squeezed into the space normally occupied by the back seats. A standard version with fewer thrusters and tanks will likely be available to the general public.
The first customer automobiles are expected to leave the Texas Gigafactory in either 2027 or 2028, according to the most recent production estimates. Anyone who put down a deposit back in 2017 is still waiting for their automobile, which must be frustrating.
The car that used to be in my garage is currently in an Earth-Mars elliptical orbit and will be there for at least 10 million years https://t.co/SlBthuU5hp
They appear to have made multiple timeline modifications throughout the years; twelve years after the first idea in November 2017, they are still working on it. Customer deliveries were originally scheduled for 2020, however the timeframe was delayed multiple times. It was previously expected that the demo date would be April 1, followed by late Spring, but it has now been pushed out to late Summer. Elon stated on the April earnings call that the event could be just a month or so away, but it now appears to be a pipe dream.
The main cause of the delays is ongoing development on the A71 thruster system, which is a cold gas thruster configuration in which the gas is simply pushed via nozzles rather than burned up, as in a conventional rocket engine. This makes the hardware easier and safer to drive on the road while yet offering adequate performance. In recent weeks, several trademark applications have been filed for the new Roadster design.
Franz von Holzhausen, Chief Designer, and Lars Moravy, Vice President of Engineering, have kept the program on track despite the fact that it looks to have been completed many years ago. Perhaps August will explain how all of these components, including Tesla’s unique electric engine, thrusters, and aerodynamics package, will work together. [Source]
To emulate vintage microprocessor hardware, it’s normal to find a modern host that provides alongside the number-crunching grunt, sufficient physical connections to interface with its support hardware. Thus if you were shopping around it might be reasonable to pick something with a powerful core and plenty of pins. Yet to emulate an 8080, [Ted Fried] has eschewed both of these — opting for an ATtiny85, a microcontroller deficient in both pins and processing power.
This seemingly impossible feat is achieved by reducing the physical connection to an SPI bus and offloading the support functions to a Teensy. The emulation code is significantly optimized C, and includes a 128 byte cache to speed up matters. This delivers a speed claimed to be only very slightly slower than a real 8080 when booting CP/M, which is quite a feat.
We’re sure that CP/M enthusiasts will have fun with this project, and we especially like the full write-up. Going to the effort of making fake 1975 electronics magazine covers for the project really is going the extra mile, and we appreciate that. Meanwhile if you’d like one of your own, the whole thing can be found in a GitHub project.
Ctrl-Alt-Speech is the podcast where we make sense of the major debates shaping online speech, platform power, content moderation and the future of the internet. It’s co-hosted by Mike Masnick (Techdirt) and Ben Whitelaw (Everything in Moderation).
With many communities looking to phase out gas-powered lawn mowers, companies that trade in battery-powered tools and devices are actively expanding their presence in the lawn care market. While there are plenty of plusses that come with making the shift from gas to electric, many who have taken the battery-powered plunge for their riding lawn mower have found themselves subjected to a veritable crash course in battery longevity and maintenance.
There are, of course, different types of batteries for lawn mowers these days. While more and more mowers and yard care devices are powered by rechargeable lithium-ion battery technology, quite a few riding models are still pushing old school lead-acid power. If you’re running a riding lawn mower on one of those batteries, there are matters to consider other than those you’d encounter with lithium-ion, including its CCA rating.
Advertisement
If you’re unfamiliar with that acronym, CCA stands for cold cranking amps. It is an important factor when it comes to batteries, as it measures their ability to start an engine in colder weather. More specifically, the rating measures whether a battery can provide a minimum of 7.2 volts to an engine for 30 seconds at 0 degrees Fahrenheit. The CCA standard was established more than five decades ago and remains a vital stat for lead acid batteries. Here are a few other things you should know about cold cranking amps.
Advertisement
The ins and outs of cold cranking amps
Cold cranking amps are primarily associated with lead-acid batteries. It is an important measurement to consider on a good car battery, as well as smaller vehicles like ATVs and side-by-sides. The primary reason for that is that such vehicles are utilized far more often when temperatures reach 32 degrees or below. The fact of the matter is that lawn mowers are not often operated in such temperatures, since many grasses tend to be dormant during the winter months.
Nonetheless, folks who live in colder climates and regularly mow their lawns into the fall season would be wise to seek out a battery with a suitable CCA rating. But what exactly does that mean? In the simplest terms, the rule of thumb is that the higher the CCA rating, the better your lawn mower battery should perform in cold weather. For riding lawn mowers and small yard tractors, the numbers generally range between 150 CCA and 300 CCA, though they can fluctuate higher or lower based on the needs of the machine’s engine.
The quality of the battery may also affect its CCA abilities, as high performance models may still deliver solid cold cranking starts even if they have a lower rating. If you’re looking to purchase a battery for your lawn mower and want to upgrade its cold cranking amp abilities, you can often find the rating listed directly on the battery’s label. If you can’t find the number there, consult its product description or an in-store sales associate for help.
Full disclosure: this post is going to pose way more questions than answers. That’s because the story of the Tomb Raider remake being produced by Crystal Dynamics and its inclusion of an AI disclosure on Steam makes no sense to me.
So, let’s start at the beginning. Crystal Dynamics is making an updated version of the first Tomb Raider game and it looks pretty great from what I’ve seen. But, as gamers are now accustomed to doing, the public came to notice that the game’s Steam page included one of Steam’s mandatory AI disclosure notices. It reads thusly:
AI-assisted tools were used during development to support some early exploration and temporary development content. Any AI-assisted assets were either replaced or refined by humans in order to maintain the creative and artistic vision of the development team.
And from there, because, of course, everyone freaked out. Comments from all the corners of the internet began flooding in, swearing off ever touching this game because it was developed using AI. What AI? We don’t know. How much was it utilized? No real content there, either. But is the game going to be good? It doesn’t fucking matter, because AI was used and that’s all you need to know in order to know that this game is going to be artless pap fit only to be mocked and laughed at.
Even some gaming journalists have gotten into the habit. This is from Kotaku:
Advertisement
GenAI slop potentially showing up in Tomb Raider is disappointing but maybe less surprising than it should be. Phil Rogers, CEO of Crystal Dynamics’ parent company, Embracer Group, last year called genAI a “powerful technology” for “driving efficiency.” Crystal Dynamics has also undergone several rounds of layoffs, completing three just last year and one earlier in 2026.
Here you have a writer who has already reached their conclusion while having almost zero information on which to base that conclusion. They haven’t played the game. They’ve barely seen the content in the game, save for some trailers. They don’t know thing one about how AI was used, where, and in what way. But it’s probably going to be “GenAI slop”. As if there is simply no other possible outcome.
“At Crystal Dynamics, we leverage AI tools to help our teams iterate on ideas faster and more efficiently, while ensuring that all finished content in the final product is human-crafted. Our goal is to empower the creativity and flexibility of our developers to deliver the highest-quality experiences for players everywhere.”
This is where I get confused. If all of the content that is going to make it into the final product is “human-crafted,” then they shouldn’t even have needed to add the disclosure to their Steam page. Back in January, Steam updated its rules around its AI disclosure such that a game with an AI disclosure must have AI-generated content that is either in public marketing materials for the game or in the final product and with which the player of the game interacts in order to require the disclosure.
In its submission form, Valve now specifies that game publishers must disclose pre-made generative AI assets only when used in marketing materials or content that “ships with your game, and is consumed by players.”
In other words, Steam’s disclosure requirement is not concerned with generative AI tools used behind the scenes for efficiency gains (presumably including coding helpers) or office work, but with things like final art, sound, and writing.
Advertisement
Now, I’ll just note that there is a subtle difference in the disclosure notice and Crystal Dynamics’ statement. The former indicates that the game may include AI-generated assets that were then iterated upon by a human developer. The latter seems to say the opposite, where everything in the final game will be “human-crafted”. So… which is it?
As I said from the start, more questions than answers is all I have at the moment. But if the gaming public is going to freak out at the mere mention of some AI being used in some way, somewhere within every new video game that comes out, then this is going to be a very annoying time in which to be a gamer.
A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.
An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection, and had also compromised the victim organization’s managed services provider (MSP).
UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.
The threat actor used the Brickstorm backdoor undetected in the environments of various targets in the United States for more than a year until the breaches were discovered around March 2025.
Researchers describe Brickstorm as “an advanced malware implant.” Initial variants were written in Golang, then new variants emerged, written in Rust.
Advertisement
In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies.
CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that it was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines.
Victim hacked twice
Volexity researchers responding to an incident last year found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim’s web SSL VPN.
From this foothold and using Brickstorm proxying features and stolen credentials, the threat actor accessed the organization’s Microsoft 365 enevironment.
Advertisement
“Volexity assesses with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access,” the researchers said.
Later, Volexity discovered that the hackers had spent at least 18 months on the network before being detected. Furthermore, VerdantBamboo breached the organization again after the researchers completed the remediation efforts.
In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall, then connected to internal systems and deployed additional custom malware to a Synology NAS device.
This triggered an investigation at the customer’s MSP, where Volexity found that VerdantBamboo had planted a BSD variant of Brickstorm on a pfSense firewall.
Advertisement
“Volexity concluded that this firewall, like the victim organization’s Storage Sync system, had also been compromised at least 18 months earlier.”
The researchers have medium confidence that the attacker pivoted from the MSP into the victim organization’s environment.
Brickstorm was then deployed to the victim’s Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server.
New backdoors used
Once the attackers returned a few days later and re-established access to the victim’s infrastructure, they deployed the custom malware Plenet to a Synology NAS appliance.
Advertisement
Plenet, also tracked as “Grimbolt” by Google, is a cross-platform .NET-based backdoor that offers interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching.
The researchers note that Plenet is similar in design to Brockstorm, using the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.
AgentPSD is a simple Python-based reverse shell utility that Volexity believes VerdantBamboo used as a fallback persistence mechanism if other malware was no longer accessible.
The researchers discovered that AgentPSD was configured to connect to a different domain than the one Brickstorm used. However, the malware was never used as Brickstorm was still running, which supports the assessment that AgentPSD was a secondary access mechanism.
Advertisement
During the investigation, Volexity tried to discover the infrastructure related to VerdantBamboo. The researchers created a fingerprint to identify IP addresses and domains Brickstorm used for C2 communication.
Although multiple machines were identified, the threat actor took the infrastructure offline before the researchers could reveal other systems.
“Between September 18 and September 23, all of the servers previously matching this pattern turned off their services on port 443.”
Around that time, Google also published a new report on Brickstorm’s activity, which may suggest that the attacker was aware of their operations being under investigation.
Advertisement
Volexity’s describes VerdantBamboo/UNC5221 as “a highly sophisticated threat actor” that mixes living-off-the-land techniques and malware and targets systems that do not support endpoint detection and response (EDR) solutions.
The researchers compiled a list of indicators of compromise (IOCs) linked to the investigated UNC5221 campaign and published them here.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
You must be logged in to post a comment Login