A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been actively exploited by Chinese state-sponsored hackers since mid-2024.
Mandiant and Google Threat Intelligence Group (GTIG) attribute this campaign to UNC6201, a threat cluster with significant overlaps to the group known as Silk Typhoon.
The vulnerability, tracked as CVE-2026-22769, carries a maximum CVSS score of 10.0, allowing attackers to gain full root access to the appliance without authentication .
The attackers utilize this flaw to deploy sophisticated malware, moving laterally through victim networks to maintain long-term espionage capabilities.
From BRICKSTORM to GRIMBOLT
Mandiant and Google Threat Intelligence Group (GTIG) campaign initially relied on a backdoor named BRICKSTORM. However, in September 2025, researchers observed UNC6201 replacing BRICKSTORM with a newer, more advanced tool called GRIMBOLT.
GRIMBOLT represents a shift in tradecraft. It is written in C# and compiled using native ahead-of-time (AOT) compilation.
This method converts the code directly into machine language, which improves performance on resource-constrained appliances and makes the malware much harder for security teams to analyze.
The malware persists on the system by modifying a legitimate script, convert_hosts.sh, ensuring it executes every time the appliance reboots.
The root cause of CVE-2026-22769 is a set of hardcoded default credentials found in the Apache Tomcat Manager configuration.
Attackers use these credentials to log in as an administrator, upload a malicious WAR file (a type of Java archive), and execute commands with root privileges. This grants them complete control over the device.
UNC6201 has also been observed creating “Ghost NICs” temporary network ports on VMware servers to stealthily pivot between internal networks and cloud infrastructure.
| CVE ID | CVSS Score | Description | Affected Component |
|---|---|---|---|
| CVE-2026-22769 | 10.0 (Critical) | Hardcoded credential vulnerability allowing unauthenticated remote root access . | Dell RecoverPoint for Virtual Machines (Tomcat Manager) |
Indicators of Compromise (IOCs)
| Indicator Type | Value / Description |
|---|---|
| Malware Family | GRIMBOLT (C# AOT-compiled backdoor), BRICKSTORM (Legacy backdoor), SLAYSTYLE (Web shell) |
| Persistence File | /home/kos/kbox/src/installation/distribution/convert_hosts.sh |
| Web Shell Path | /var/lib/tomcat9/ (Malicious WAR file upload location) |
| Log Artifact | Requests to /manager/text/deploy in /home/kos/auditlog/fapi_cl_audit_log.log |
| Attribution | UNC6201 (Suspected PRC-nexus, overlaps with Silk Typhoon) |
Dell has released a critical security update to address this flaw. Organizations using RecoverPoint for Virtual Machines must upgrade to version 6.0.3.1 HF1 or apply the official remediation script immediately.
Security teams should also inspect Tomcat logs for unauthorized access to the /manager endpoint.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
