A critical zero-day vulnerability, tracked as CVE-2026-22769, is being actively exploited in Dell Technologies’ RecoverPoint for Virtual Machines. According to Mandiant and Google Threat Intelligence Group (GTIG), the flaw carries a perfect score severity score of 10, and has been weaponized by a Chinese threat cluster, identified as UNC6201.
Dell RecoverPoint for Virtual Machines is designed to manage backup and disaster recovery for VMware virtual machines. However, exploitation of CVE-2026-22769 enables unauthenticated attackers to gain access to the underlying system and maintain root-level persistence through a hardcoded credential weakness.
How CVE-2026-22769 Was Exploited
During multiple incident response engagements, Mandiant and GTIG determined that UNC6201 had been exploiting CVE-2026-22769 since at least mid-2024. The vulnerability stems from hardcoded default credentials embedded in configuration files associated with Apache Tomcat Manager on Dell RecoverPoint appliances.
Investigators found the credentials in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, attackers could authenticate to the Tomcat Manager interface and deploy malicious WAR files via the /manager/text/deploy endpoint. In observed cases, this resulted in the installation of a SLAYSTYLE web shell.
Also read: Chinese Hackers Weaponize Claude AI to Execute First Autonomous Cyber Espionage Campaign at Scale
Web logs stored in /home/kos/auditlog/fapi_cl_audit_log.log revealed suspicious requests to /manager, particularly PUT /manager/text/deploy?path=/<MAL_PATH>&update=true. Uploaded WAR files were typically located in /var/lib/tomcat9, with compiled artifacts found in /var/cache/tomcat9/Catalina. Analysts were advised to investigate Tomcat logs under /var/log/tomcat9/, including Catalina events such as org.apache.catalina.startup.HostConfig.deployWAR.
The earliest confirmed exploitation of CVE-2026-22769 dates back to mid-2024.
UNC6201’s Malware Evolution: From BRICKSTORM to GRIMBOLT
The campaign tied to UNC6201 shows a notable evolution in tooling. Initially, attackers deployed BRICKSTORM malware. However, in September 2025, investigators observed older BRICKSTORM binaries being replaced with a newly identified backdoor called GRIMBOLT.
GRIMBOLT, written in C# and compiled using native ahead-of-time (AOT) compilation, represents a tactical shift. Unlike traditional .NET software that relies on just-in-time (JIT) compilation, native AOT binaries are compiled directly to machine code. Introduced to .NET in 2022, this method enhances performance on resource-constrained appliances like Dell RecoverPoint systems and complicates static analysis by eliminating common intermediate language (CIL) metadata.
GRIMBOLT was also packed with UPX and provided remote shell capabilities while using the same command-and-control infrastructure previously associated with BRICKSTORM. Investigators could not determine whether the shift to GRIMBOLT was pre-planned or a reaction to incident response efforts by Mandiant and other industry partners.
Persistence mechanisms were established by modifying a legitimate shell script, /home/kos/kbox/src/installation/distribution/convert_hosts.sh, which executes at boot via rc.local. The attackers appended the backdoor path to this script to ensure continued access.
Broader VMware Pivoting and New Tactics
Beyond exploiting CVE-2026-22769 in Dell RecoverPoint, UNC6201 expanded its operations into VMware environments. Although the initial access vector was not confirmed, the actor is known to target edge appliances such as VPN concentrators.
Mandiant documented the creation of “Ghost NICs,” temporary network interfaces added to virtual machines on ESXi servers. These interfaces enabled stealthy pivoting into internal and SaaS infrastructure.
In compromised vCenter appliances, analysts recovered iptables commands executed via the SLAYSTYLE web shell. These commands implemented Single Packet Authorization (SPA) by:
- Monitoring port 443 for a specific hexadecimal string
- Adding the source IP to an approved list
- Allowing connections to port 10443 if the IP was listed
- Redirecting traffic from port 443 to 10443 for 300 seconds
This redirection mechanism facilitated covert access while limiting exposure.
Indicators of Compromise Linked to CVE-2026-22769 and UNC6201
Several malware samples and network indicators were tied to the campaign:
GRIMBOLT Files
- support — SHA256: 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
- out_elf_2 — SHA256: dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591
SLAYSTYLE
- default_jsp.java — SHA256: 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
BRICKSTORM Samples
- SHA256: aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
- splisten — SHA256: 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
- Additional hashes:
- 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
- 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
- 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
Network Indicators
- C2 Endpoint: wss://149.248.11.71/rest/apisession
- C2 IP: 149.248.11.71
YARA rules released by GTIG include:
- G_APT_BackdoorToehold_GRIMBOLT_1
- G_Hunting_BackdoorToehold_GRIMBOLT_1
- G_APT_BackdoorWebshell_SLAYSTYLE_4
