Chinese-Linked UNC6201 Exploits Critical Dell RecoverPoint Zero-Day to Deploy GRIMBOLT Backdoor, Researchers Warn

CyberDefender 10 mins0

On February 18, 2026, security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) disclosed detailed findings on the long-running exploitation of a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines. The vulnerability, tracked as CVE-2026-22769, has been actively exploited since at least mid-2024 by a sophisticated cyber espionage actor cluster known as UNC6201, which is strongly suspected to be tied to a People’s Republic of China (PRC) nexus.

The implications of this campaign are severe: uninterrupted unauthorized access, stealthy persistence, lateral movement across virtual environments, and deployment of advanced malware families including SLAYSTYLE, BRICKSTORM, and a newly observed backdoor called GRIMBOLT.

The Vulnerability: CVE-2026-22769 — Critical Hardcoded Credentials

The heart of the exploitation lies in a vulnerability classified as CVE-2026-22769, which affects Dell RecoverPoint for Virtual Machines prior to version 6.0.3.1 HF1 and certain older 5.3 service pack builds. This flaw has been assigned a CVSS v3.1 score of 10.0, indicating maximum severity.

At a technical level:

  • The appliance includes embedded Apache Tomcat Manager functionality for administrative tasks.
  • Within Tomcat’s configuration (tomcat-users.xml), there are hardcoded default credentials for an administrative account.
  • An attacker who knows these credentials can remotely authenticate without any prior access, granting control over the Tomcat Manager interface.

Exploitation typically occurs with HTTP requests to the Tomcat Manager’s deployment endpoint (/manager/text/deploy), enabling the remote installation of a malicious WAR file (web application archive) containing a backdoor payload. Once executed, this yields root shell access on the appliance — effectively breaking out to the underlying operating system.

Threat Actor: UNC6201 and Operational Timeline

The threat actor behind this campaign — UNC6201 — has been active since at least mid-2024, remaining undetected while embedding into victim environments.

Profile of UNC6201 activity:

  • Initial Access: Although the exact initial access vector in each compromise is unclear, UNC6201 has a known preference for targeting edge appliances (e.g., VPN concentrators) to gain an initial foothold.
  • Persistent Exploitation: Once foothold is achieved via the Tomcat Manager exploit, UNC6201 deploys a web shell named SLAYSTYLE to maintain command execution capability on the appliance.
  • Malware Transition: Around September 2025, researchers observed older BRICKSTORM backdoor binaries being replaced with a new backdoor family, GRIMBOLT — indicating deliberate evolution of tools or adaptation to defensive pressure.

This long timeline underscores the stealthy nature of the campaign and why persistent monitoring and detection are essential.

Malware Families Deployed

SLAYSTYLE Web Shell

The first stage after exploitation often involves deploying SLAYSTYLE, a web shell packaged inside a WAR archive. The malicious WAR gives the attacker remote command execution on the appliance via the existing Tomcat interface.

Key technical properties:

  • Java-based web shell inside a deployed WAR file.
  • Offers interactive remote command execution.
  • Installed via the unauthenticated Tomcat Manager endpoint.

BRICKSTORM

Previously observed in earlier campaign stages, BRICKSTORM is a C#-based foothold backdoor that registers with the threat actor’s command-and-control infrastructure.

It typically:

  • Provides persistent remote access.
  • Uses encrypted communications to the operator’s infrastructure.
  • Serves as a stable long-term access mechanism.

GRIMBOLT: The Next-Generation Backdoor

The newer backdoor — GRIMBOLT — represents a significant shift in sophistication.

Technical features:

  • Written in C#, similar to BRICKSTORM.
  • Compiled using native Ahead-Of-Time (AOT) compilation, bundling all libraries and minimizing dependency on runtime environments.
  • Packed with UPX, making static analysis harder for defenders.
  • Provides a remote shell and uses the same C2 infrastructure as BRICKSTORM.

GRIMBOLT’s design suggests a focus on performance in constrained embedded environments (like RecoverPoint appliances) while increasing evasive capabilities.

Advanced Evasion and Lateral Movement Techniques

Beyond simple exploitation and backdoor installation, UNC6201 has demonstrated advanced techniques for maintaining stealth and pivoting deeper within virtual environments:

“Ghost NICs”

Researchers observed the creation of temporary and hidden virtual network ports on VMware ESXi hosts. These “Ghost NICs” were used as covert channels to move from compromised VMs into internal networks and towards internal SaaS services, effectively bypassing traditional network defenses and visibility controls.

Single Packet Authorization (SPA) via iptables

In some cases, attackers used iptables rules on Linux appliances to implement Single Packet Authorization (SPA). SPA selectively allows connections only after detecting a specific hex-encoded token, reducing exposure to scanning and minimizing the attack surface.

These sophisticated techniques highlight a level of operational security and evasion that enables prolonged access even in well-defended environments.

Mitigation and Defensive Guidance

Because CVE-2026-22769 represents unauthenticated remote access, rapid remediation is mandatory.

Immediate Actions

  1. Upgrade Affected Appliances
    • For the 6.x product line, upgrade to 6.0.3.1 HF1 or later.
    • For 5.3 series builds, follow Dell’s recommended upgrade or patch path.
  2. Isolate Management Interfaces
    • Ensure RecoverPoint appliances are not reachable from untrusted networks.
    • Use segmented management VLANs and strict firewall policies.
  3. Hunt and Detect
    • Audit Tomcat Manager logs for unauthorized deployment requests.
    • Search for unexpected WAR files in the Tomcat directory tree.
    • Monitor for unauthorized modifications to startup scripts (e.g., convert_hosts.sh) that enable persistent backdoors.
  4. Network Monitoring
    • Detect unexpected ephemeral network interfaces or unusual ESXi port allocations.
    • Monitor for encrypted outbound connections characteristic of GRIMBOLT or BRICKSTORM C2 traffic.

Attribution and Broader Context

While the cluster UNC6201 is not definitively the same as the previously tracked cluster UNC5221 (associated publicly with Silk Typhoon), there are some overlaps in tooling and behavior. Both clusters have exhibited long dwell times, sophisticated tooling, and targeting patterns that align with espionage motives in high-value enterprise environments.

Conclusion

The exploitation of CVE-2026-22769 places a stark spotlight on the risks of embedded systems and virtual appliance software within critical enterprise infrastructure. A vulnerability rooted in hardcoded credentials enabled a sophisticated actor to gain persistent access, deploy evolving malware families, and leverage advanced network pivoting techniques for nearly two years before detection.

Today, defenders must assume that appliance compromise — particularly in virtualized environments — can lead to deep internal access and long-term persistence. Rapid patching, robust monitoring, and proactive threat hunting are not optional but essential to defend against modern threat actor tradecraft.

CyberDefender