UNC6201 Exploits Dell RecoverPoint Zero-Day to Deploy GRIMBOLT Backdoor

Published Date: February 18, 2026
Category: ShadowOpsIntel
Share:

On February 18, 2026, Mandiant and Google Threat Intelligence Group (GTIG) disclosed active exploitation of a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines by the threat cluster UNC6201, a suspected PRC-nexus actor.
The campaign has been ongoing since at least mid-2024 and involves appliance compromise, stealth persistence, VMware infrastructure pivoting, and deployment of custom malware including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor named GRIMBOLT.

Severity: High

Threat Actor

  • Actor Name: UNC6201
  • Suspected Nexus: People’s Republic of China (PRC)
  • Related Clusters: Overlaps with UNC5221 (publicly linked to Silk Typhoon), though not assessed as identical
  • Motivation: Espionage, persistent access, lateral movement into VMware infrastructure
  • Active Since: At least mid-2024

    Vulnerability Exploited

    • CVE: CVE-2026-22769
    • Product: Dell RecoverPoint for Virtual Machines
    • CVSS Score: 10.0
    • Root Cause: Hard-coded default credentials for the admin user stored in /home/kos/tomcat9/tomcat-users.xml. Access to Apache Tomcat Manager allowed attackers to deploy malicious WAR files.
    • Exploitation Flow:
      • Authenticate to the Dell RecoverPoint Tomcat Manager using hard-coded credentials
      • Upload of malicious WAR via /manager/text/deploy
      • Deployment of SLAYSTYLE web shell
      • Root-level command execution
      • Installation of BRICKSTORM → later replaced with GRIMBOLT
      • Persistence via modification of:
      • /home/kos/kbox/src/installation/distribution/convert_hosts.sh executed at boot via rc.local

    Malware Ecosystem

    • SLAYSTYLE: A Java-based web shell delivered via the initial WAR file to establish immediate command execution.
    • BRICKSTORM: A legacy backdoor used for initial persistent access; however, Mandiant observed a shift in September 2025 where these binaries were replaced by newer tools.
    • GRIMBOLT: A novel C# backdoor compiled using Native Ahead-of-Time (AOT) compilation. This method removes CIL metadata to frustrate static analysis and improves performance on resource-constrained appliances.

    Persistence & Stealth Tactics

    • Persistence: The actor modifies a legitimate boot-time shell script, convert_hosts.sh, to ensure their backdoors (BRICKSTORM or GRIMBOLT) execute upon appliance restart.
    • Ghost NICs: To pivot through the network stealthily, UNC6201 creates temporary virtual network ports (“Ghost NICs”) on existing ESXi virtual machines.
    • Single Packet Authorization (SPA): The actor uses iptables to monitor for a specific HEX string on port 443. Only after this “knock” is received is the source IP added to an approved list, allowing subsequent traffic to be redirected to a hidden listener on port 10443.

    Recommendations

    1. Immediately apply Dell’s security update for CVE-2026-22769.
    2. Validate Tomcat Manager credential configurations. Remove or rotate any hard-coded/default credentials.
    3. Web logs for Tomcat Manager are stored in /home/kos/auditlog/fapi_cl_audit_log.log. Check log file for any instances of requests to /manager. Any instances of those requests should be considered suspicious.
      Any requests for PUT /manager/text/deploy?path=/&update=true are potentially malicious. MAL_PATH will be the path where a potentially malicious WAR file was uploaded.
    4. Given UNC6201’s history of targeting edge devices like VPN concentrators for initial access, implement strict access control lists (ACLs) and multi-factor authentication (MFA) for all internet-facing management interfaces.
    5. Implement file integrity monitoring (FIM) for critical appliance scripts, specifically /home/kos/kbox/src/installation/distribution/convert_hosts.sh, to detect unauthorized modifications for persistence.
    6. Regularly scan ESXi servers for “Ghost NICs” – temporary network ports created by threat actors to facilitate lateral movement.
    7. Monitor iptables configurations on vCenter and other appliances for unusual redirection rules, specifically those involving port 443 and 10443.
    8. Block the IOCs at their respective controls
      https://www.virustotal.com/gui/collection/6d9bd98653d426b223007bbafb06ba4b83f83df8de01ee1463a8d60fb2be5107/iocs

    Source:

    • https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

     Talk to an expert