{ "id": "130218ad-74ca-42d0-a80d-a6e044a20301", "created_at": "2026-04-06T00:19:45.802899Z", "updated_at": "2026-04-10T03:35:48.58785Z", "deleted_at": null, "sha1_hash": "2847d66d5679ee28e006b3eb2a330eebdd20bdcb", "title": "UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90112, "plain_text": "UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines\r\nZero-Day\r\nBy Mandiant, Google Threat Intelligence Group\r\nPublished: 2026-02-17 · Archived: 2026-04-05 14:25:42 UTC\r\nWritten by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece\r\nIntroduction \r\nMandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk\r\nvulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of\r\n10.0. Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster,\r\nhas exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware\r\nincluding SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT. The initial access vector\r\nfor these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN\r\nconcentrators) for initial access. There are notable overlaps between UNC6201 and UNC5221, which has been\r\nused synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider\r\nthe two clusters to be the same.\r\nThis report builds on previous GTIG research into BRICKSTORM espionage activity, providing a technical deep\r\ndive into the exploitation of CVE-2026-22769 and the functionality of the GRIMBOLT malware. Mandiant\r\nidentified a campaign featuring the replacement of older BRICKSTORM binaries with GRIMBOLT in September\r\n2025. GRIMBOLT represents a shift in tradecraft; this newly identified malware, written in C# and compiled\r\nusing native ahead-of-time (AOT) compilation, is designed to complicate static analysis and enhance performance\r\non resource-constrained appliances.\r\nBeyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into\r\nVMware virtual infrastructure, including the creation of \"Ghost NICs\" for stealthy network pivoting and the use of\r\niptables for Single Packet Authorization (SPA).\r\nDell has released remediations for CVE-2026-22769, and customers are urged to follow the guidance in the\r\nofficial Security Advisory. This post provides actionable hardening guidance, detection opportunities, and a\r\ntechnical analysis of the UNC6201 tactics, techniques, and procedures (TTPs).\r\nGRIMBOLT\r\nDuring analysis of compromised Dell RecoverPoint for Virtual Machines, Mandiant discovered the presence of\r\nBRICKSTORM binaries and the subsequent replacement of these binaries with GRIMBOLT in September 2025.\r\nGRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and\r\npacked with UPX . It provides a remote shell capability and uses the same command and control as previously\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 1 of 7\n\ndeployed BRICKSTORM payload. It's unclear if the threat actor's replacement of BRICKSTORM with\r\nGRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response\r\nefforts led by Mandiant and other industry partners. Unlike traditional .NET software that uses just-in-time (JIT)\r\ncompilation at runtime, Native AOT-compiled binaries, introduced to .NET in 2022, are converted directly to\r\nmachine-native code during compilation. This approach enhances the software’s performance on resource-constrained appliances, ensures required libraries are already present in the file, and complicates static analysis by\r\nremoving the common intermediate language (CIL) metadata typically associated with C# samples.\r\nUNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual\r\nMachines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor.\r\nThis shell script is executed by the appliance at boot time via rc.local .\r\nCVE-2026-22769\r\nMandiant discovered CVE-2026-22769 while investigating multiple Dell RecoverPoint for Virtual Machines\r\nwithin a victim’s environment that had active C2 associated with BRICKSTORM and GRIMBOLT backdoors.\r\nDuring analysis of the appliances, analysts identified multiple web requests to an appliance prior to compromise\r\nusing the username admin . These requests were directed to the installed Apache Tomcat Manager, used to deploy\r\nvarious components of the Dell RecoverPoint software, and resulted in the deployment of a malicious WAR file\r\ncontaining a SLAYSTYLE web shell.\r\nAfter analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded\r\ndefault credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml . Using these credentials, a\r\nthreat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the\r\n/manager/text/deploy endpoint, and then execute commands as root on the appliance.\r\nThe earliest identified exploitation activity of this vulnerability occurred in mid-2024.\r\nNewly Observed VMware Activity\r\nDuring the course of the recent investigations, Mandiant observed continued compromise of VMware virtual\r\ninfrastructure by the threat actor as previously reported by Mandiant, CrowdStrike, and CISA. Additionally,\r\nseveral new TTPs were discovered that haven’t been previously reported on.\r\nGhost NICs\r\nMandiant discovered the threat actor creating new temporary network ports on existing virtual machines running\r\non an ESXi server. Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations.\r\niptables proxying\r\nWhile analyzing compromised vCenter appliances, Mandiant recovered several commands from Systemd Journal\r\nexecuted by the threat actor using a deployed SLAYSTYLE web shell. These iptable commands were used for\r\nSingle Packet Authorization and consisted of:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 2 of 7\n\nMonitoring incoming traffic on port 443 for a specific HEX string\r\nAdding the source IP of that traffic to a list and if the IP is on the list and connects to port 10443, the\r\nconnection is ACCEPTED\r\nOnce the initial approved traffic comes in to port 10443, any subsequent traffic is automatically redirected\r\nFor the next 300 seconds (five minutes), any traffic to port 443 is silently redirected to port 10443 if the IP\r\nis on the approved list\r\niptables -I INPUT -i eth0 -p tcp --dport 443 -m string --hex-string \u003cHEX_STRING\u003e\r\niptables -A port_filter -i eth0 -p tcp --dport 10443 --syn -m recent --rcheck --name ipt -j ACCEPT\r\niptables -t nat -N IPT\r\niptables -t nat -A IPT -p tcp -j REDIRECT --to-ports 10443\r\niptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 --syn -m recent --rcheck --name ipt --seconds 300 -j IP\r\nRemediation\r\nThe following investigative guide can assist defenders in analyzing Dell RecoverPoint for Virtual Machines. \r\nForensic Analysis of Dell RecoverPoint Disk Image\r\nThe following artifacts are high-value sources of evidence for incident responders conducting full disk image\r\nanalysis of Dell RecoverPoint for Virtual Machines.\r\nWeb logs for Tomcat Manager are stored in /home/kos/auditlog/fapi_cl_audit_log.log . Check log file\r\nfor any instances of requests to /manager . Any instances of those requests should be considered\r\nsuspicious\r\nAny requests for PUT /manager/text/deploy?path=/\u003cMAL_PATH\u003e\u0026update=true are potentially\r\nmalicious. MAL_PATH will be the path where a potentially malicious WAR file was uploaded\r\nUploaded WAR files are typically stored in /var/lib/tomcat9\r\nCompiled artifacts for uploaded WAR files are located in /var/cache/tomcat9/Catalina\r\nTomcat application logs located in /var/log/tomcat9/\r\nCatalina - investigate any org.apache.catalina.startup.HostConfig.deployWAR and\r\norg.apache.catalina.startup.HostConfig.deployWAR events\r\nLocalhost - Contains additional events associated with WAR deployment and any exceptions\r\ngenerated by malicious WAR and embedded files \r\nPersistence for BRICKSTORM and GRIMBOLT backdoors on Dell RecoverPoint for Virtual Machines\r\nwas established by modifying /home/kos/kbox/src/installation/distribution/convert_hosts.sh to\r\ninclude the path to the backdoor\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 3 of 7\n\nIndicators of Compromise (IOCs)\r\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included\r\nIOCs in a free GTI Collection for registered users.\r\nFile Indicators\r\nFamily File Name SHA256\r\nGRIMBOLT  support 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c\r\nGRIMBOLT out_elf_2 dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591\r\nSLAYSTYLE default_jsp.java 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a\r\nBRICKSTORM N/A aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878\r\nBRICKSTORM splisten 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df\r\nBRICKSTORM N/A 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759\r\nBRICKSTORM N/A 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035\r\nBRICKSTORM N/A 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830\r\nNetwork Indicators\r\nFamily Indicator Type\r\nGRIMBOLT wss://149.248.11.71/rest/apisession C2 Endpoint\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 4 of 7\n\nGRIMBOLT 149.248.11.71 C2 IP\r\nYARA Rules\r\nG_APT_BackdoorToehold_GRIMBOLT_1\r\nrule G_APT_BackdoorToehold_GRIMBOLT_1\r\n{\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n strings:\r\n $s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 }\r\n $s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 }\r\n $s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 }\r\n $s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 6\r\n condition:\r\n (uint32(0) == 0x464c457f) //linux\r\n and all of ($s*)\r\n}\r\nG_Hunting_BackdoorToehold_GRIMBOLT_1\r\nrule G_Hunting_BackdoorToehold_GRIMBOLT_1\r\n{\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n strings:\r\n $s1 = \"[!] Error : Plexor is nul\" ascii wide\r\n $s2 = \"port must within 0~6553\" ascii wide\r\n $s3 = \"[*] Disposing..\" ascii wide\r\n $s4 = \"[!] Connection error. Kill Pty\" ascii wide\r\n $s5 = \"[!] Unkown message type\" ascii wide\r\n $s6 = \"[!] Bad dat\" ascii wide\r\n condition:\r\n (\r\n (uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or\r\n uint32(0) == 0x464c457f or\r\n uint32(0) == 0xfeedface or\r\n uint32(0) == 0xcefaedfe or\r\n uint32(0) == 0xfeedfacf or\r\n uint32(0) == 0xcffaedfe or\r\n uint32(0) == 0xcafebabe or\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 5 of 7\n\nuint32(0) == 0xbebafeca or\r\n uint32(0) == 0xcafebabf or\r\n uint32(0) == 0xbfbafeca\r\n ) and any of them\r\n}\r\nG_APT_BackdoorWebshell_SLAYSTYLE_4\r\nrule G_APT_BackdoorWebshell_SLAYSTYLE_4\r\n{\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$str1 = \"\u003c%@page import=\\\"java.io\" ascii wide\r\n$str2 = \"Base64.getDecoder().decode(c.substring(1)\" ascii wide\r\n$str3 = \"{\\\"/bin/sh\\\",\\\"-c\\\"\" ascii wide\r\n$str4 = \"Runtime.getRuntime().exec(\" ascii wide\r\n$str5 = \"ByteArrayOutputStream();\" ascii wide\r\n$str6 = \".printStackTrace(\" ascii wide\r\ncondition:\r\n$str1 at 0 and all of them\r\n}\r\nGoogle Security Operations (SecOps)\r\nGoogle Security Operations (SecOps) customers have access to these broad category rules and more under the\r\n“Mandiant Frontline Threats” and “Mandiant Hunting Rules” rule packs. The activity discussed in the blog post is\r\ndetected in Google SecOps under the rule names:\r\nWeb Archive File Write To Tomcat Directory\r\nRemote Application Deployment via Tomcat Manager\r\nSuspicious File Write To Tomcat Cache Directory\r\nKbox Distribution Script Modification\r\nMultiple DNS-over-HTTPS Services Queried\r\nUnknown Endpoint Generating DNS-over-HTTPS and Web Application Development Services\r\nCommunication\r\nUnknown Endpoint Generating Google DNS-over-HTTPS and Cloudflare Hosted IP Communication\r\nUnknown Endpoint Generating Google DNS-over-HTTPS and Amazon Hosted IP Communication\r\nAcknowledgements\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 6 of 7\n\nWe appreciate Dell for their collaboration against this threat. This analysis would not have been possible without\r\nthe assistance from across Google Threat Intelligence Group, Mandiant Consulting and FLARE. We would like to\r\nspecifically thank Jakub Jozwiak and Allan Sepillo from GTIG Research and Discovery (RAD).\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day" ], "report_names": [ "unc6201-exploiting-dell-recoverpoint-zero-day" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5133dd42-e348-4a7a-8423-5a6f2579116f", "created_at": "2026-03-08T02:00:03.467343Z", "updated_at": "2026-04-10T02:00:03.979151Z", "deleted_at": null, "main_name": "UNC6201", "aliases": [], "source_name": "MISPGALAXY:UNC6201", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434785, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2847d66d5679ee28e006b3eb2a330eebdd20bdcb.pdf", "text": "https://archive.orkl.eu/2847d66d5679ee28e006b3eb2a330eebdd20bdcb.txt", "img": "https://archive.orkl.eu/2847d66d5679ee28e006b3eb2a330eebdd20bdcb.jpg" } }