According to a joint report by the Google Mandiant and Google Threat Intelligence Group, a suspected China-related threat cluster identified as "UNC6201" has been actively seeking to exploit a maximum severity, zero-day vulnerability within Dell RecoverPoint for Virtual Machines, since approximately the middle of 2024.
The vulnerability which has been assigned as CVE-2026-22769 has a critical CVSS score of 10.0 and originates from the presence of hard-coded administrator credentials for the Apache Tomcat Manager. An unauthenticated remote attacker who knows the credential can authenticate to the Tomcat Manager, upload a malicious web shell named SLAYSTYLE via the /manager/text/deploy endpoint, and gain root-level access to the appliance's underlying operating system.
From there, UNC6201 deploys two C# backdoors:
1. BRICKSTORM (an older version of the attack tool)
2. GRIMBOLT (a new version of the attack tool that is AOT-compiled for stealthy operation and integrated with existing files on the system)
According to Mandiant, GRIMBOLT is clearly an evolution of BRICKSTORM by providing more stealth, fewer forensic artifacts, and better blending with legitimate processes. The transition from BRICKSTORM to GRIMBOLT started to occur sometime after September 2025; it is not certain if this was a planned change or the result of public disclosure related to BRICKSTORM.
Overview of the attack chain
1. Initial access likely via edge appliances or virtualization platforms (consistent with UNC6201's known tactics and overlaps with UNC5221).
2. Exploitation of CVE-2026-22769 to upload SLAYSTYLE web shell.
3. Usage of root access for obtaining drops of BRICKSTORM/GRIMBOLT malware.
4. Deployment of temporary "ghost" network interfaces (virtual NICs) to pivot into internal networks or SaaS environments, as well as deletion of the NIC(s) afterwards to erase tracks.
5. Use of iptables rules to track ports 443 traffic for an exact HEX string, whitelist source IP addresses and silently reroute permitted connections to port 10443 for 5 minutes, creating a hidden callback channel.
Affected versions (all RecoverPoint for Virtual Machines):
a) 5.3 SP4 P1 → migrate to 6.0 SP3 → upgrade to 6.0.3.1 HF1
b) 6.0 through 6.0 SP3 P1 → upgrade to 6.0.3.1 HF1
c) 5.3 SP4 and earlier → upgrade to 5.3 SP4 P1 or 6.x → apply remediation
RecoverPoint Classic and other Dell products are not affected. Dell stresses that RecoverPoint should never be exposed to untrusted networks, deploy it behind strict firewalls and segmentation only.
Attribution & Context
UNC6201 shares tooling and tactics with UNC5221 (also China-nexus, known for Ivanti zero-days and virtualization exploits) and has loose ties to Warp Panda (via BRICKSTORM use). At this moment, these three categories can certainly be viewed as their own respective clusters; however, they also point to a more general trend of Chinese espionage focusing on virtualization, edge devices and, backup and recovery platforms - all of these systems often have no EDR coverage and offer attackers higher privileged footholds.
As with some other offensive action by China (such as Volt Typhoon targeting Sierra Wireless gateways in OT environments), this attack pattern continues to demonstrate that adversaries were attempting to capitalize on appliances that do not fall under traditional endpoint monitoring in order to have the ability to maintain long term dwell time with the potential for lateral movement.
Immediate action to remediate
1. Immediately upgrade to RecoverPoint for VMs 6.0.3.1 HF1
2. Migrate if you are still running an older version as instructed by Dell.
3. Audit the Tomcat Manager exposure and audit for hard-coded credentials
4. Search for the SLAYSTYLE web shells, BRICKSTORM/GRIMBOLT indicators, suspicious iptables rules and Ghost NIC activity.
5. Isolate RecoverPoint appliances; enforce strict network segmentation.
6. Monitor for unexpected port 10443 traffic or Tomcat Manager access.
As Mandiant's Charles Carmakal noted: "Nation-state actors continue targeting systems without traditional EDR, making detection extremely difficult and dramatically extending intrusion dwell times." For organizations running critical recovery platforms, this is a high-priority patch-and-hunt scenario.
Source: The Hacker News