A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.

An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection, and had also compromised the victim organization’s managed services provider (MSP).

UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.

The threat actor used the Brickstorm backdoor undetected in the environments of various targets in the United States for more than a year until the breaches were discovered around March 2025.

Researchers describe Brickstorm as “an advanced malware implant.” Initial variants were written in Golang, then new variants emerged, written in Rust.

In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies.

CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that it was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines.

Victim hacked twice

Volexity researchers responding to an incident last year found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim’s web SSL VPN.

From this foothold and using Brickstorm proxying features and stolen credentials, the threat actor accessed the organization’s Microsoft 365 enevironment.

“Volexity assesses with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access,” the researchers said.

Later, Volexity discovered that the hackers had spent at least 18 months on the network before being detected. Furthermore, VerdantBamboo breached the organization again after the researchers completed the remediation efforts.

In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall, then connected to internal systems and deployed additional custom malware to a Synology NAS device.

This triggered an investigation at the customer’s MSP, where Volexity found that VerdantBamboo had planted a BSD variant of Brickstorm on a pfSense firewall.

“Volexity concluded that this firewall, like the victim organization’s Storage Sync system, had also been compromised at least 18 months earlier.”

The researchers have medium confidence that the attacker pivoted from the MSP into the victim organization’s environment.

Brickstorm was then deployed to the victim’s Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server.

New backdoors used

Once the attackers returned a few days later and re-established access to the victim’s infrastructure, they deployed the custom malware Plenet to a Synology NAS appliance.

Plenet, also tracked as “Grimbolt” by Google, is a cross-platform .NET-based backdoor that offers interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching.

The researchers note that Plenet is similar in design to Brockstorm, using the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.

AgentPSD is a simple Python-based reverse shell utility that Volexity believes VerdantBamboo used as a fallback persistence mechanism if other malware was no longer accessible.

The researchers discovered that AgentPSD was configured to connect to a different domain than the one Brickstorm used. However, the malware was never used as Brickstorm was still running, which supports the assessment that AgentPSD was a secondary access mechanism.

During the investigation, Volexity tried to discover the infrastructure related to VerdantBamboo. The researchers created a fingerprint to identify IP addresses and domains Brickstorm used for C2 communication.

Although multiple machines were identified, the threat actor took the infrastructure offline before the researchers could reveal other systems.

“Between September 18 and September 23, all of the servers previously matching this pattern turned off their services on port 443.”

Around that time, Google also published a new report on Brickstorm’s activity, which may suggest that the attacker was aware of their operations being under investigation.

Volexity’s describes VerdantBamboo/UNC5221 as “a highly sophisticated threat actor” that mixes living-off-the-land techniques and malware and targets systems that do not support endpoint detection and response (EDR) solutions.

The researchers compiled a list of indicators of compromise (IOCs) linked to the investigated UNC5221 campaign and published them here.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Duck Detective studio Happy Broccoli is back with a creepy-cute mystery.

For someone who helped ship ChatGPT, DALL-E, and Codex, Mira Murati has been remarkably quiet. On Thursday, she broke the silence. Sitting down with Bloomberg’s Emily Chang in San Francisco, the CEO of Thinking Machines Lab gave her first major media appearance in roughly 18 months, a carefully managed re-entry into a conversation that has moved at breakneck speed without her.

The timing was not accidental. Thinking Machines has spent that year and a half raising $2 billion, securing a gigawatt of Nvidia Vera Rubin compute, shipping one product, and losing a troubling number of the researchers it hired to build the next one. The AI landscape Murati left behind when she departed OpenAI in September 2024 looks nothing like the one she re-entered on Thursday.

The product: interaction models

Murati used the appearance to preview what Thinking Machines is calling “interaction models,” a fundamentally different kind of AI interface. Rather than the prompt-and-response format that defines most AI products, the company’s models are designed to process continuous streams of audio, text, and video in 200-millisecond intervals.

The pitch is that these models can pick up on the texture of human communication: interruptions, mid-thought corrections, pauses. The technical term is “full duplex,” and the company claims its TML-Interaction-Small model responds in 0.40 seconds, roughly the speed of natural conversation. It fits Thinking Machines’ founding thesis that powerful AI requires closer human collaboration, not less of it.

Murati was careful to frame this as a first step. She declined to put a release date on anything, and she positioned the work alongside Tinker, the company’s API for fine-tuning open-source models, which launched in October 2025 and remains its only shipping product.

The departures

Chang pressed Murati on what has quietly become the company’s most visible problem: a string of high-profile departures. Co-founder and CTO Barret Zoph, co-founder Luke Metz, and founding team member Sam Schoenholz all returned to OpenAI in January. Five founding members have gone to Meta, reportedly lured by compensation packages that reach into nine figures.

Murati downplayed the exits. Building a frontier AI lab from scratch compresses years of normal organisational volatility into months, she said. She acknowledged that the nine-figure packages now standard in the AI talent war capture imaginations, but suggested compensation is rarely the whole story.

“When I wake up in the morning, I am not thinking about how to kill the competitor,” she said, drawing laughter from the audience. The line was disarming, but the competitive reality is stark. OpenAI is everywhere. Anthropic has raised $30 billion and reportedly attracted investor offers at an $800 billion valuation. Elon Musk’s xAI has been folded into SpaceX ahead of a record IPO. In that environment, staying quiet has costs.

The Altman firing, revisited

Chang asked about the episode that first made Murati a public figure: the chaotic five days in November 2023 when OpenAI’s board fired Sam Altman and Murati became interim CEO. Inside OpenAI, the incident came to be called “the blip.”

Murati said she felt clear about her decisions in each moment, that protecting the mission and the team was the thread that made the choices feel obvious even as the situation looked like it was falling apart from outside. She said the company would have “imploded” without her involvement through that stretch. But she acknowledged that clarity of intent is not the same as clarity about consequences, and said she would have pushed harder for more information, a better transition plan, and more transparency.

Asked whether she still trusts Altman, she sidestepped. What she offered instead was more interesting: a broader argument about the concentration of consequential decisions in too few hands, not just at OpenAI but across the industry. Her concern, she said, is less about the character of any individual leader and more about the absence of structural checks. Good people make bad calls. Well-intentioned organisations drift.

The harder question

On the future of AI broadly, Murati pushed back on both the dystopian and utopian framings. Neither outcome is predetermined, she argued. The period we are in right now is the one that will determine which way things go.

But she returned, more than once, to a theme that connects her governance critique to her product philosophy: if humans take their hands off the wheel too soon, the future will look very different, and not better. It is a position that sits comfortably with her company’s thesis about human-AI collaboration. Whether it can survive contact with a market that rewards speed, scale, and tens of billions in capital over caution is the question Murati did not answer on Thursday.

She does not need to answer it yet. But with one product shipping, a team that keeps shrinking at the top, and competitors that grow louder by the week, the window for quiet conviction is closing.

There are dozens of LED hair-growth gadgets on the market, ranging from a $50 product on AliExpress that’s been shopped onto a model to comically bad effect to the $2,500 Capillus Spectrum, which boasts an aggressive array of laser diodes. Contrary to what I would have suspected, women are actually the current dominant consumer group for LED hair-regrowth therapy. As it was explained to me, women are accustomed to spending money on their appearance, and thinning hair is often experienced as a crisis. Men, on the other hand, tend to take the path I did and buzz it all off, then go about their day.

Photograph: Martin Cizmar

I agreed to test the FDA-cleared GroWell, which sits in the middle of the price range at $550. It contains a total of 63 diodes, including 24 lasers and 39 LEDs. Beyond its attractive price point, comfortably between sketchy drop shippers and well-marketed products that cost nearly as much as the top-end MacBook Pro, the GroWell stands out for offering treatment at a level supported by clinical research without an overkill approach that can be counterproductive.

Also, unlike the helmet-style caps on the market, it’s an insert attached to a control unit with a small 1,800 mAh Li-ion battery, which GroWell says should be good for several years of regular use. Because it’s in three small pieces (a control pack that’s the size of an old Motorola Razr, a USB-C cord, and a flat pad that’s only as thick as a piece of cardboard), it’s easy to fold up and pack on a trip. That’s clutch, as you don’t want to miss treatments when traveling. (Note that if you stop using the device, your follicles will return to their previous state.)

Growing Pains?

It couldn’t be easier to use: Tuck the light pad inside the provided cap or one of your own, connect it via USB-C to the control module, and press the button. It will light up for the next 25 minutes while you go about your business. Because it goes in your own hat, the fit may not be perfect, and I did find myself adjusting it a bunch, which probably wouldn’t happen with some of the helmet-style devices.

In a 2013 study, the levels and duration provided by GroWell with every other day of use over 16 weeks helped everyone who participated in the study regrow some hair, on average 35 percent more for men and 37 percent for women. The same study showed that using more powerful lasers for longer may actually stunt growth a bit. I’m only estimating here, but I would guess I have at least 30 percent more hair than I would have without the treatment, and maybe more.

Six weeks ago, AirTrunk did not operate in India. Now it wants to spend $30 billion there.

The Blackstone-backed hyperscale data centre operator announced on Thursday that it plans to invest more than INR 3,000 billion ($30 billion) in India by 2030, building over 5 gigawatts of digital infrastructure capacity across multiple states and union territories. The figure represents planned spending, not committed capital, and the four-year timeline leaves considerable room for adjustment. Still, if executed, the programme would rank among the largest digital infrastructure commitments in the country’s history.

Prime Minister Narendra Modi publicly welcomed the commitment, saying it would strengthen India’s position as a global hub for cloud computing and AI. The endorsement followed meetings between AirTrunk founder and CEO Robin Khuda and federal and state government officials in Maharashtra and Andhra Pradesh.

From zero to $30 billion in six weeks

AirTrunk entered India in April through the acquisition of Lumina CloudInfra, which gave it a 600-megawatt development pipeline across Mumbai, Chennai, and Hyderabad. The new $30 billion plan represents a dramatic escalation of that position.

The centrepiece is a 3GW campus at the Raigad Penn Growth Centre on the outskirts of Mumbai, for which AirTrunk has signed a letter of intent for land allotment with the Maharashtra government. According to a single industry report, that project alone carries an estimated price tag of $21 billion, though the figure has not been confirmed by AirTrunk or the Maharashtra government.

“Capital is mobile, and India is creating the conditions for it to thrive,” Khuda said. “India is taking a top-down approach to AI with clear government-led initiatives, a world-class talent pool, and massive availability of renewable energy.”

Why India, why now

India’s data centre market has been accelerating since 2024, but the pace of new commitments in 2026 has been extraordinary. Google has pledged $15 billion for a southern Indian data centre hub. Microsoft has committed $17.5 billion. Amazon is targeting up to $35 billion by 2030. The Adani Group has reportedly outlined a $100 billion programme through 2035, including a 5GW renewable-powered hyperscale platform, though those figures come from industry reports rather than a formal company commitment.

The government has matched the private capital with policy. India’s February budget introduced a 20-year tax holiday through 2047 for foreign technology firms using Indian data centres for global cloud services. The IndiaAI Mission has received approximately £1 billion ($1.2 billion) in funding, and the India Semiconductor Mission has been backed with approximately £7.5 billion ($9 billion).

AI-related colocation leasing more than doubled to 348MW in the past year, now accounting for nearly 20% of total demand. Between March 2025 and April 2026, operators announced roughly 30 large projects adding about 3.5GW of planned capacity across the country. Schneider Electric expects its India data centre business to become its single largest unit within three to five years.

Blackstone’s hyperscale bet

AirTrunk is the vehicle through which Blackstone is making its largest infrastructure play in the Asia-Pacific region. The private equity giant acquired AirTrunk in December 2024 for an implied enterprise value of over A$24 billion ($16 billion), alongside Canada Pension Plan Investment Board, which took a 12% stake. It was the largest data centre transaction in history at the time.

Blackstone has since been expanding AirTrunk’s footprint aggressively. The platform now spans more than 3GW of operating and planned capacity across 20 campuses in six regions: Australia, Singapore, Japan, Malaysia, Hong Kong, and India. Separately, Blackstone is seeking up to $1.75 billion in a NYSE IPO for its Digital Infrastructure Trust, packaging hyperscaler-leased AI data centres as a public REIT.

The India push fits a clear pattern. Blackstone had already committed approximately $11 billion to Indian data centres through Lumina before the AirTrunk acquisition. The new $30 billion figure nearly triples that exposure.

The execution question

The numbers are staggering, but so is the gap between announcements and operational capacity. India’s total live IT capacity exceeded 1.6GW by the end of 2025, the product of years of cumulative buildout. Just 371MW was added in 2025 alone. AirTrunk’s proposed 5GW, combined with the commitments from Google, Microsoft, Amazon, and Adani, would require India to build more capacity in the next four years than it has built in its entire history, several times over.

The discussions between Khuda and government officials reportedly focused on precisely the bottlenecks that could slow that buildout: access to reliable and cost-effective power, renewable energy, sustainable water supply, talent development, streamlined approvals, and coordination between state and federal governments on strategic infrastructure.

India is not the only country chasing hyperscale AI infrastructure investment. Malaysia, Saudi Arabia, and several European nations are offering competing incentive packages. AirTrunk itself recently expanded its Malaysian platform to over 700MW. The $30 billion figure signals intent, but the timeline to 2030 leaves room for the kind of recalibration that large infrastructure programmes routinely undergo.

What is not in question is the direction of travel. Whether the final number is $30 billion or something smaller, India is rapidly becoming one of the world’s primary construction sites for the physical infrastructure that AI requires. The question is whether the country’s grid, water supply, and planning systems can keep pace with the capital flooding in.

Meta’s AI support agent bound recovery emails to accounts for whoever asked, and SOCs never saw an alert. An authorized agent writes a log of legitimate transactions, so nothing in the detection stack fired. Attackers asked the bot to make the change, took the one-time code it sent, and ran the password reset, 404 Media reported.

No malware, no stolen credentials, and no prompt injection in the sense most security teams drill for. The agent did exactly what Meta built it to do. That is what should keep a security operations leader up at night: The takeover did not break a control; it rode one that was already trusted.

What a SOC needs is a way to walk each recovery path through an audit grid with its AI build team before the next renewal closes. The AI Authority Audit Grid at the end of this article maps every authentication write a support agent can make on the recovery path, what Meta’s incident proved about each one, why it stays dark to the SOC, and the control that closes it.

The agent is an authorized actor, so the SOC reads the takeover as routine traffic

From inside the detection stack, the attack produced no signal the stack could read. The agent binds a new email, then resets the password, and identity and access management logs both writes as an authorized actor, so each lands in the authentication state as a legitimate transaction. No anomalous login, no failed-auth spike, nothing for EDR or DLP, no SIEM rule to match, because nothing in the sequence looks like an attack. The takeover lived inside the trust boundary the stack assumes is safe. There is no foothold to find, because the agent was the foothold, and it was supposed to be there.

The chain was almost insulting in its simplicity. Brian Krebs documented the version pro-Iran hackers posted to Telegram on May 31. The attacker switched on a VPN to appear in the victim’s region, sidestepping Instagram’s location alarms, then asked the support assistant to add a new email and send a verification code, as the BBC confirmed from the same recordings. The bot complied, sending the one-time code straight to the attacker, Gizmodo reported. The reset finished and the owner was locked out, in minutes. The exploit failed against any account with MFA enabled, according to Krebs.

The hijacked accounts were not soft targets. They included Sephora, U.S. Space Force senior enlisted leader Chief Master Sergeant John Bentivegna, researcher Jane Manchun Wong, and a dormant Obama White House handle that briefly posted a defaced image, according to 404 Media. Meta disputes the Obama account, according to TechCrunch, and called claims that leaders’ accounts were breached “completely false,” according to the BBC. The rest stand.

MFA held. The recovery path beside it did not.

The detail that decided who survived was narrow. Krebs reported the attack failed against any account with multifactor authentication, even SMS. The recovery path beside it was the gap. When that path asked for a selfie video, attackers ran the target’s public photos through an AI video generator and submitted the clip, which Meta accepted as valid identity verification, gHacks reported. Either way the failure was the recovery door, not the login door MFA guards.

That makes this an architecture problem, not a Meta problem. MFA gates the login path for owner and attacker alike, but the recovery path runs beside it, built to relax the usual checks because it exists for the moment a user has lost the normal way in. Meta put an agent on that path with write access to authentication state and no deterministic check between a convincing request and a committed change. Authorization cannot live inside the model, because a conversational system can be talked into skipping a check. It has to live outside the model, in a gate the agent cannot reason its way past. Security researchers have a name for this pattern, the confused deputy, a trusted system tricked into spending its privileges on an attacker’s behalf.

This is not the last support agent that will hand over an account. Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, told Krebs on Security that AI bots are as easy to social engineer as the human agents they replace, and just as eager to help. “AI chatbots create interesting new attack surface, and we’re likely going to see a lot more of these kinds of attacks,” Goldin said. Every enterprise wiring an agent into a recovery, provisioning, or password flow is shipping the same write access Meta did.

Simon Willison, who coined the term prompt injection, put it plainly on his blog. “Meta really did wire their support system into an AI chatbot that had the ability to fast-forward through the entire account recovery process,” he wrote. “This one hardly even qualifies as a prompt infection. Don’t wire your support bot up to allow one-shot account takeovers.” The attacker never tricked the agent. The attacker asked, and the agent had untrusted input, write access, and a way to execute, all at once.

OWASP named this class before Meta shipped it, as Excessive Agency at LLM06 and Identity and Privilege Abuse at ASI03 in the Agentic AI Top 10. The warning label was on the box: Meta pushed the assistant to every Facebook and Instagram account in March, according to 404 Media, with the power to reset passwords and handle recovery, the product page promising “solutions, not just suggestions” under the line “account security and recovery.” Meta gave the agent the power and never built the gate to govern it.

The AI Authority Audit Grid

Security operations leaders need to run this against their own support agent before the next renewal closes. Each row is an authentication write the agent makes on the recovery path, with what Meta proved, why your stack misses it, and the control that closes it.

The fix is not bolting yet another MFA prompt onto the login screen. The people who survived Meta’s incident were the ones who already had that control in place.

The fix is pulling authorization out of the recovery path’s honor system and putting it behind a gate that does not move just because a prompt sounds convincing. Build the agent so the SOC sees every write it makes, and so any write that changes who owns an account cannot commit without a check that the model does not control.

Meta just showed what happens when the most trusting employee on the team is also the one holding the keys. The next agent like that is already reading your intellectual property and financials.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.

Serv-U is the company’s Windows and Linux file transfer software that offers Managed File Transfer (MFT) and FTP server capabilities, which allow users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP.

SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch this denial-of-service vulnerability (tracked as CVE-2026-28318) and said it stems from an uncontrolled resource consumption weakness.

“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate,” the company said.

Remote attackers can exploit the security flaw without privileges in low-complexity attacks that don’t require user interaction.

SolarWinds also advised admins who can’t immediately deploy the patch to limit access to known addresses and to block any POST request containing “content-encoding,” since the vulnerable Serv-U service does not require this functionality.

The Internet intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed online, and Internet security watchdog Shadowserver just over 3,100, but there is no information on how many have already been patched.

​Days after SolarWinds addressed the vulnerability, CISA flagged it as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog, ordering all Federal Civilian Executive Branch agencies to patch their servers against ongoing attacks by June 19, as mandated by Binding Operational Directive (BOD) 22-01.

While BOD 22-01 applies only to U.S. government agencies, the cybersecurity agency also urged all network defenders, including the private sector, to secure their networks against ongoing CVE-2026-28318 attacks as soon as possible.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

In recent years, multiple cybercrime and state-backed hacking groups have targeted vulnerabilities in Serv-U to steal sensitive corporate and customer data.

For instance, the Clop ransomware gang exploited a Serv-U remote code execution vulnerability (CVE-2021-35211) to breach corporate networks in a 2021 campaign. DEV-0322 Chinese hackers also deployed CVE-2021-35211 exploits in zero-day attacks starting in July 2021.

More recently, in June 2024, cybersecurity companies GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.

Over the past several years, CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks, one of which has also been abused by ransomware gangs.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper