Vulnerabilities & CVEs

UNC6201 GRIMBOLT Exploits Dell CVE-2026-22769

Dell RecoverPoint appliances got quietly owned by UNC6201 via a perfect-10 CVSS zero-day. Now they're deploying GRIMBOLT, a C# beast that's harder to spot than its predecessor.

Threat Digest 4 min read
Compromised Dell RecoverPoint appliance dashboard showing GRIMBOLT persistence

Key Takeaways

  • UNC6201 exploited Dell RecoverPoint CVE-2026-22769 zero-day for root access since mid-2024.
  • GRIMBOLT backdoor evolves from BRICKSTORM with Native AOT compilation for better evasion on appliances.
  • New TTPs include Ghost NICs and iptables SPA for VMware pivots—patch and harden now.

A Dell RecoverPoint for Virtual Machines appliance sits in a dimly lit server room, its fans whirring softly while Chinese hackers sip tea halfway across the world, remotely shelling in.

That’s the unglamorous reality of CVE-2026-22769, a zero-day in Dell’s virtualization gear that UNC6201—suspected PRC nexus crew—has been milking since mid-2024. CVSS score? A flawless 10.0. Perfect storm for lateral movement, persistence, and dumping malware like SLAYSTYLE webshells and the new kid, GRIMBOLT.

Mandiant and Google’s Threat Intelligence Group spilled the beans. They’ve seen UNC6201 pivot from edge VPNs into this juicy target. Overlaps with UNC5221 (Silk Typhoon vibes), but not the same outfit—yet.

But here’s the kicker no one else mentioned: this reeks of Stuxnet-era evolution. Back then, nation-states honed zero-days on industrial kit; now they’re feasting on virtualization hypervisors. Bold prediction? Expect GRIMBOLT clones hitting Hyper-V next quarter. Dell’s PR will spin patches; reality’s messier.

BRICKSTORM to GRIMBOLT: Malware’s Glow-Up

Old reliable BRICKSTORM? Out. Enter GRIMBOLT, C# coded, Native AOT compiled—UPX packed for extra obfuscation. No JIT runtime nonsense; it’s machine-native from the jump. Runs slick on starved appliances, hides CIL metadata to troll reversers.

During analysis of compromised Dell RecoverPoint for Virtual Machines, Mandiant discovered the presence of BRICKSTORM binaries and the subsequent replacement of these binaries with GRIMBOLT in September 2025.

Persistence? Sneaky. They hijack convert_hosts.sh—boots via rc.local—and point it at the backdoor. Same C2 as BRICKSTORM. Was it planned iteration or Mandiant forcing their hand? Who knows. But it’s smarter, faster, meaner.

Dell patched it. Yawn. Hard-coded admin creds in tomcat-users.xml screamed ‘hack me’ from a mile away. Tomcat Manager? Wide open for WAR uploads, root shells. Mid-2024 exploits. Customers, patch now—or don’t cry later.

Ghost NICs for stealth pivots. iptables SPA tricks. Novel VMware abuse on top of the Dell mess.

Why Does UNC6201 Obsess Over Dell Appliances?

Simple. RecoverPoint’s a virtualization splitter—sits pretty between VMs, ripe for east-west chaos. UNC6201 hits edge first (VPNs, remember?), then leaps in.

They auth as ‘admin’—defaults, duh—hit /manager/text/deploy. Boom, SLAYSTYLE webshell. Config scans revealed the creds. Lazy engineering? Or cost-cutting? Either way, it’s blood in the water for PRC ops.

And the VMware pivot? Continued from prior Mandiant/CrowdStrike/CISA alerts. New TTPs: fake NICs ghosting traffic, SPA via iptables. Stealthy as a ninja in a blackout.

Look, Dell’s advisory urges hardening. Good luck. Firewalls, creds rotation, Tomcat lockdown—basics ignored for years.

Is Your VMware Farm GRIMBOLT’s Next Meal?

Absolutely. Mandiant spotted actor burrowing deeper into vSphere. Ghost NICs evade detection; SPA slips past NDR. If you’re running RecoverPoint unpatched? You’re toast.

Corporate hype calls it ‘contained.’ Bull. UNC6201’s iterating fast—BRICKSTORM to GRIMBOLT in months. Historical parallel: like APT1’s iterative shells in the 2010s, but virtualized. Prediction: by 2026, half of Fortune 500 vCenters compromised unless vendors wake up.

Detection? Hunt web requests to Tomcat Manager, anomalous rc.local mods, AOT C# bins. YARA rules incoming, probably. But proactive beats reactive—always.

Dell spun remediations quick. Skeptical? Me too. Zero-days like this expose virtualization’s soft underbelly. PRC crews aren’t slowing; they’re accelerating.

So, admins: audit now. Kill defaults. Segment like your job depends on it—because it does.

🧬 Related Insights

Frequently Asked Questions

What is CVE-2026-22769?

High-risk zero-day in Dell RecoverPoint for VMs (CVSS 10.0). Allows root via Tomcat Manager with default admin creds. Exploited since mid-2024.

What does GRIMBOLT malware do?

C# backdoor with remote shell, Native AOT for speed/evasion. Replaces BRICKSTORM, same C2, persists via boot scripts.

How to detect UNC6201 on Dell appliances?

Check for BRICKSTORM/GRIMBOLT bins, tampered convert_hosts.sh, Tomcat WAR deploys. Follow Dell’s advisory for patches.

Aisha Patel
Written by
Aisha Patel

Former ML engineer turned writer. Covers computer vision and robotics with a practitioner perspective.

Frequently asked questions

What is CVE-2026-22769?
High-risk zero-day in Dell RecoverPoint for VMs (CVSS 10.0). Allows root via Tomcat Manager with default admin creds. Exploited since mid-2024.
What does GRIMBOLT malware do?
C# backdoor with remote shell, Native AOT for speed/evasion. Replaces BRICKSTORM, same C2, persists via boot scripts.
How to detect UNC6201 on Dell appliances?
Check for BRICKSTORM/GRIMBOLT bins, tampered convert_hosts.sh, Tomcat WAR deploys. Follow Dell's advisory for patches.
#cve-2026-22769 #dell-recoverpoint #grimbolt #unc6201
More in Vulnerabilities & CVEs →

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Mandiant Blog

Related Stories

📬

Stay in the loop

The week's most important stories from Threat Digest, delivered once a week.

No spam. Unsubscribe any time.