UNC6201 Exploits Dell RecoverPoint Zero-Day CVE-2026-22769
Overview
Mandiant and Google Threat Intelligence Group (GTIG) have identified active zero-day exploitation of a critical vulnerability, CVE-2026-22769, in Dell RecoverPoint for Virtual Machines. This flaw carries a CVSSv3.1 score of 10.0, indicating maximum severity. The suspected PRC-nexus threat cluster, UNC6201, has been exploiting this vulnerability since at least mid-2024 to achieve lateral movement, maintain persistent access, and deploy various malware, including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor dubbed GRIMBOLT. While the initial access vector remains unconfirmed, UNC6201 is known for targeting edge appliances such as VPN concentrators for initial compromise, according to Google Threat Intelligence Group.
Dell has released remediations for CVE-2026-22769, and customers are strongly urged to apply the guidance provided in the official Dell Security Advisory to protect against these ongoing threats.
Technical Analysis
CVE-2026-22769 Exploitation Details
Mandiant discovered CVE-2026-22769 during investigations into compromised Dell RecoverPoint for Virtual Machines. Attackers leveraged hard-coded default credentials for the admin user, found within /home/kos/tomcat9/tomcat-users.xml, to authenticate to the appliance’s Apache Tomcat Manager. This unauthorized access allowed UNC6201 to upload a malicious WAR file via the /manager/text/deploy endpoint, subsequently executing commands with root privileges on the appliance. In observed incidents, this process led to the deployment of the SLAYSTYLE web shell, facilitating further malicious activities.
GRIMBOLT Malware Analysis
GRIMBOLT represents an evolution in UNC6201’s toolset. It is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX. This approach complicates static analysis by removing the common intermediate language (CIL) metadata typical of C# applications and enhances performance on resource-constrained appliances. GRIMBOLT offers remote shell capabilities and utilizes the same command and control infrastructure as the previously deployed BRICKSTORM payload. In September 2025, Mandiant observed a campaign featuring the replacement of older BRICKSTORM binaries with GRIMBOLT, indicating a potential tradecraft shift or response to incident response efforts.
Persistence for GRIMBOLT and BRICKSTORM backdoors on Dell RecoverPoint for Virtual Machines was achieved by modifying the legitimate shell script /home/kos/kbox/src/installation/distribution/convert_hosts.sh to include the backdoor’s path. This script is executed at boot time via rc.local, ensuring persistent unauthorized access.
UNC6201’s Advanced VMware TTPs
UNC6201 has continued to compromise VMware virtual infrastructure, exhibiting several previously unreported tactics:
- Ghost NICs: The threat actor created new temporary network ports on existing virtual machines running on ESXi servers. These ephemeral interfaces were then used to pivot stealthily to internal and software-as-a-service (SaaS) infrastructures within affected organizations.
- iptables Proxying for Single Packet Authorization (SPA): On compromised vCenter appliances, UNC6201 utilized
iptablescommands for SPA. This sophisticated technique involved:- Monitoring incoming traffic on port 443 for a specific hexadecimal string.
- Adding the source IP of traffic containing this string to a temporary approved list.
- Accepting connections to port 10443 from IPs on the approved list.
- Silently redirecting any subsequent traffic to port 443 to port 10443 for a duration of 300 seconds (five minutes) if the IP remained on the approved list.
Example iptables commands observed:
iptables -I INPUT -i eth0 -p tcp --dport 443 -m string --hex-string <HEX_STRING>
iptables -A port_filter -i eth0 -p tcp --dport 10443 --syn -m recent --rcheck --name ipt -j ACCEPT
iptables -t nat -N IPT
iptables -t nat -A IPT -p tcp -j REDIRECT --to-ports 10443
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 --syn -m recent --rcheck --name ipt --seconds 300 -j IPTActionable Recommendations and Mitigations
Defenders should prioritize patching Dell RecoverPoint for Virtual Machines to address CVE-2026-22769 immediately. Furthermore, organizations should review their VMware infrastructure for indicators of compromise related to UNC6201’s TTPs.
Forensic Analysis of Dell RecoverPoint Disk Image
Incident responders conducting full disk image analysis of Dell RecoverPoint for Virtual Machines should examine the following high-value artifacts:
- Web logs for Tomcat Manager: Check
/home/kos/auditlog/fapi_cl_audit_log.logfor suspicious requests to/manager, particularlyPUT /manager/text/deploy?path=/<MAL_PATH>&update=truewhich indicates malicious WAR file uploads. - Uploaded WAR files: Investigate
/var/lib/tomcat9for unauthorized WAR files. - Compiled WAR artifacts: Examine
/var/cache/tomcat9/Catalinafor compiled artifacts. - Tomcat application logs: Review
/var/log/tomcat9/for unusual events:Catalinalogs: Look fororg.apache.catalina.startup.HostConfig.deployWARevents.Localhostlogs: Investigate events related to WAR deployment and exceptions generated by malicious files.
- Persistence modifications: Inspect
/home/kos/kbox/src/installation/distribution/convert_hosts.shfor unauthorized modifications that include paths to backdoors like BRICKSTORM or GRIMBOLT.
Indicators of Compromise (IOCs)
Organizations should leverage the following indicators for detection and hunting:
File Indicators (SHA256):
- GRIMBOLT:
24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c(support)dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591(out_elf_2)
- SLAYSTYLE:
92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a(default_jsp.java)
- BRICKSTORM:
aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d18782388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df(splisten)320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d75990b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b03545313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
Network Indicators:
- GRIMBOLT C2 Endpoint:
wss://149.248.11.71/rest/apisession - GRIMBOLT C2 IP:
149.248.11.71
YARA Rules
The following YARA rules can assist in identifying GRIMBOLT and SLAYSTYLE malware:
G_APT_BackdoorToehold_GRIMBOLT_1
rule G_APT_BackdoorToehold_GRIMBOLT_1
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 }
$s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 }
$s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 }
$s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 65 00 6C 00 66 00 2F 00 65 00 78 00 65 }
condition:
(uint32(0) == 0x464c457f) //linux
and all of ($s*)
}G_Hunting_BackdoorToehold_GRIMBOLT_1
rule G_Hunting_BackdoorToehold_GRIMBOLT_1
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = "[!] Error : Plexor is nul" ascii wide
$s2 = "port must within 0~6553" ascii wide
$s3 = "[*] Disposing.." ascii wide
$s4 = "[!] Connection error. Kill Pty" ascii wide
$s5 = "[!] Unkown message type" ascii wide
$s6 = "[!] Bad dat" ascii wide
condition:
(
(uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or
uint32(0) == 0x464c457f or
uint32(0) == 0xfeedface or
uint32(0) == 0xcefaedfe or
uint32(0) == 0xfeedfacf or
uint32(0) == 0xcffaedfe or
uint32(0) == 0xcafebabe or
uint32(0) == 0xbebafeca or
uint32(0) == 0xcafebabf or
uint32(0) == 0xbfbafeca
) and any of them
}G_APT_BackdoorWebshell_SLAYSTYLE_4
rule G_APT_BackdoorWebshell_SLAYSTYLE_4
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$str1 = "<%@page import=\"java.io" ascii wide
$str2 = "Base64.getDecoder().decode(c.substring(1)" ascii wide
$str3 = "{\"/bin/sh\",\"-c\"" ascii wide
$str4 = "Runtime.getRuntime().exec(" ascii wide
$str5 = "ByteArrayOutputStream();" ascii wide
$str6 = ".printStackTrace(" ascii wide
condition:
$str1 at 0 and all of them
}Sponsored
Advertisement