UNC6201 Targets Dell RecoverPoint (CVE-2026-22769): Evolving Backdoors and Novel VMware Pivot Techniques

Mandiant and Google Threat Intelligence Group (GTIG) have released critical findings regarding UNC6201, a suspected PRC-nexus threat cluster. This group has been actively exploiting a Dell RecoverPoint for Virtual Machines (RP4VM) zero-day, tracked as CVE-2026-22769 (CVSS v3.1 10.0), since at least mid-2024. The exploitation allows UNC6201 to establish footholds on edge and appliance infrastructure, move laterally, and deploy various payloads, including the SLAYSTYLE web shell, the BRICKSTORM backdoor, and its newly identified successor, GRIMBOLT ¹.

The inclusion of CVE-2026-22769 in CISA’s Known Exploited Vulnerabilities (KEV) catalog highlights the urgent need for patching. However, the more significant insight is UNC6201’s strategic modernization of its tools and pivoting techniques, specifically targeting VMware-adjacent infrastructure, which often lacks standard Endpoint Detection and Response (EDR) coverage ¹.

1. Executive Summary

• What happened: UNC6201 exploited a hardcoded-credential vulnerability in Dell RP4VM (CVE-2026-22769) to gain privileged access, deploy web shells and backdoors, and maintain persistence across victim environments ¹.
• Why it matters: RP4VM is commonly deployed in VMware-centric environments for backup and recovery. Its compromise can create a durable access point close to high-value virtual infrastructure and management planes ¹.
• What’s new: Mandiant observed BRICKSTORM binaries being replaced by GRIMBOLT in September 2025. GRIMBOLT utilizes .NET Native AOT compilation and UPX packing to complicate analysis and improve performance on constrained appliances ¹.
• Immediate action: Apply Dell’s remediation guidance for affected versions. Treat exposed or internet-reachable management interfaces as high-risk and hunt for Tomcat Manager deployment artifacts ¹.

2. Contextual Background

2.1 Nature of the Threat (CVE-2026-22769)

CVE-2026-22769 is a hardcoded credential vulnerability affecting Dell RecoverPoint for Virtual Machines (versions prior to 6.0.3.1 HF1). An unauthenticated attacker with knowledge of the credential can obtain unauthorized OS access and root-level persistence. Dell’s advisory provides remediation pathways and upgrade guidance for impacted 5.x and 6.x branches ¹.

References:

• Dell advisory for CVE-2026-22769 (DSA-2026-079) ¹
• NVD ¹

2.2 Threat-Actor Attribution and Overlaps

Mandiant and GTIG track this activity as UNC6201, assessed as a suspected PRC-nexus cluster. While some public reporting uses “Silk Typhoon” synonymously with UNC5221, GTIG currently does not consider UNC6201 and UNC5221 to be the same entity ¹.

Attribution confidence: Likely (B2), based on incident-response observations and consistent tooling/TTPs, despite limited public victim-level telemetry ¹.

2.3 Why Appliances and VMware-Adjacent Tooling are Attractive

UNC6201’s focus on edge/appliance tradecraft aligns with a broader trend of attackers targeting systems that often lack full endpoint visibility and reside on trusted network segments. Mandiant’s report highlights novel VMware pivot techniques (e.g., “Ghost NICs”) and iptables-based Single Packet Authorization (SPA), indicating an intent to quietly pivot into internal and SaaS environments while minimizing detection opportunities ¹.

3. Technical Analysis

3.1 Exploitation Workflow (as observed by Mandiant/GTIG)

Mandiant discovered CVE-2026-22769 during investigations where RP4VM appliances showed active C2 linked to BRICKSTORM/GRIMBOLT. Analysts identified the following steps:

1. Pre-compromise web requests to the RP4VM appliance using the username admin.
2. Interaction with Apache Tomcat Manager, which RP4VM uses to deploy software components.
3. Deployment of a malicious WAR containing the SLAYSTYLE web shell via Tomcat Manager endpoints.
4. Identification of hardcoded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml.
5. Using these credentials to authenticate to Tomcat Manager, upload malicious WARs via /manager/text/deploy, and achieve command execution as root on the appliance ¹.

3.2 GRIMBOLT: What Changed from BRICKSTORM?

Mandiant reports a September 2025 shift where UNC6201 replaced BRICKSTORM binaries with GRIMBOLT, signifying an evolution in operational reliability and resistance to reverse-engineering ¹:

• Language/format: C#
• Compilation: Native AOT (Ahead-of-Time) compilation, introduced to .NET in 2022
• Packing: UPX
• Capability: Remote shell / foothold backdoor
• Infrastructure: Uses the same C2 as previously deployed BRICKSTORM ¹

It remains unclear whether this swap was a planned lifecycle upgrade or a response to incident-response pressure ¹.

3.3 Persistence on RP4VM Appliances

UNC6201 established persistence for BRICKSTORM/GRIMBOLT by modifying a legitimate script:

• convert_hosts.sh was altered to include the backdoor path.
• The script executes at boot via rc.local ¹.

3.4 Newly Observed VMware Pivot Techniques

Two notable TTPs observed in the Mandiant write-up include:

• “Ghost NICs”: Creation of temporary network ports on existing VMs on ESXi, used as a stealthy pivot mechanism into internal and SaaS infrastructure ¹.
• iptables proxying for SPA: Rules monitoring a specific hex string on port 443, temporarily permitting access (e.g., to 10443), and redirecting subsequent traffic for a limited time window ¹.

4. Impact Assessment

4.1 Severity and Operational Risk

• CVSS: 10.0 (Critical) ¹.
• Likely outcomes: Root-level persistence on an infrastructure appliance, durable foothold, stealthy lateral movement into VMware-managed environments and adjacent services, and potential for follow-on espionage or disruptive actions ¹.

4.2 Likely Victim Profile

Environments with the highest risk are those where RP4VM appliances:

• Are reachable from untrusted networks (directly or via exposed management paths).
• Are managed as “infrastructure” without robust logging/EDR coverage.
• Have trust relationships into VMware management or backup networks ¹.

5. Indicators of Compromise (IOCs)

The following IOCs are taken from the Mandiant/GTIG report. Validate them in context and do not treat them as exhaustive ¹.

5.2 Detection Guidance

Appliance/Tomcat-focused hunting (high signal in this case):

• Review Tomcat Manager audit logs for any requests to /manager:
  • /home/kos/auditlog/fapi_cl_audit_log.log ¹
• Treat the following as suspicious, particularly outside maintenance windows:
  • PUT /manager/text/deploy?path=/<MAL_PATH>&update=true ¹
• Hunt for WAR artifacts in:
  • /var/lib/tomcat9 (uploaded WARs)
  • /var/cache/tomcat9/Catalina (compiled artifacts)
  • /var/log/tomcat9/ (Tomcat logs; look for HostConfig.deployWAR events) ¹

Persistence checks:

• Diff and integrity-check:
  • /home/kos/kbox/src/installation/distribution/convert_hosts.sh
  • Boot-time execution paths (e.g., rc.local) ¹

Network checks:

• Alert on outbound WebSocket connections to untrusted IPs from RP4VM appliances ¹.
• If you can log firewall/iptables changes on adjacent management appliances (e.g., vCenter), hunt for SPA-like rule patterns and short-lived allowlists consistent with Mandiant’s description ¹.

YARA (as published by GTIG/Mandiant)
Use responsibly and test in a controlled pipeline before production deployment ¹.

Plaintext

rule G_APT_BackdoorToehold_GRIMBOLT_1
{
  meta:
    author = "Google Threat Intelligence Group (GTIG)"
  strings:
    $s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 }
    $s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 }
    $s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 }
    $s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 65 00 6C 00 66 00 2F 00 65 00 78 00 65 }
  condition:
    (uint32(0) == 0x464c457f) //linux
    and all of ($s*)
}

rule G_Hunting_BackdoorToehold_GRIMBOLT_1
{
    meta:
        author = "Google Threat Intelligence Group (GTIG)"
    strings:
        $s1 = "[!] Error : Plexor is nul" ascii wide
        $s2 = "port must within 0~6553" ascii wide
        $s3 = "[*] Disposing.." ascii wide
        $s4 = "[!] Connection error. Kill Pty" ascii wide
        $s5 = "[!] Unkown message type" ascii wide
        $s6 = "[!] Bad dat" ascii wide
    condition:
        (  
            (uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or
            uint32(0) == 0x464c457f or
            uint32(0) == 0xfeedface or
            uint32(0) == 0xcefaedfe or
            uint32(0) == 0xfeedfacf or
            uint32(0) == 0xcffaedfe or
            uint32(0) == 0xcafebabe or
            uint32(0) == 0xbebafeca or
            uint32(0) == 0xcafebabf or
            uint32(0) == 0xbfbafeca
        ) and any of them
}

rule G_APT_BackdoorWebshell_SLAYSTYLE_4
{
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$str1 = "<%@page import=\"java.io" ascii wide
		$str2 = "Base64.getDecoder().decode(c.substring(1)" ascii wide
		$str3 = "{\"/bin/sh\",\"-c\"" ascii wide
		$str4 = "Runtime.getRuntime().exec(" ascii wide
		$str5 = "ByteArrayOutputStream();" ascii wide
		$str6 = ".printStackTrace(" ascii wide
	condition:
		$str1 at 0 and all of them
}

6. Incident Response Guidance

6.1 Containment, Eradication, Recovery

• Reduce exposure immediately: Restrict RP4VM management interfaces to trusted admin networks; block public access paths where possible ¹.
• Apply Dell remediation guidance: Upgrade and/or mitigation steps depending on supported versions ¹.
  • Dell advisory for CVE-2026-22769 (DSA-2026-079) ¹
• If compromise is suspected: Treat the appliance as untrusted, preserve evidence, and consider rebuilding or restoring from a known-good image. Rotate credentials and re-issue secrets used by the appliance to access backups, vCenter, and adjacent systems ¹.
• Validate VMware and management plane integrity: If RP4VM was compromised, prioritize reviewing connected VMware infrastructure for unauthorized changes consistent with pivot activity described by Mandiant (e.g., unusual vNIC/network port modifications) ¹.

6.2 Forensic Artifacts to Collect and Preserve (RP4VM)

High-value sources (per Mandiant/GTIG):

• /home/kos/auditlog/fapi_cl_audit_log.log (Tomcat Manager audit log; search for /manager) ¹
• /var/lib/tomcat9 (uploaded WARs) ¹
• /var/cache/tomcat9/Catalina (compiled webapp artifacts) ¹
• /var/log/tomcat9/ (Tomcat and Catalina logs; hunt deployWAR events) ¹
• /home/kos/kbox/src/installation/distribution/convert_hosts.sh and boot execution artifacts (e.g., rc.local) ¹

6.3 Lessons Learned

• Appliance ecosystems remain a persistent visibility gap: Ensure central logging, immutable baselines, and change monitoring extend to “utility” systems (backup, DR, network management) ¹.
• Treat VMware-adjacent tools as tier-0 assets: Compromise enables stealthy pivot routes that can bypass typical endpoint-centric controls ¹.

7. Threat Intelligence Contextualization

7.1 How This Fits Broader PRC-Nexus Tradecraft Trends

The reported focus on appliance compromise, long dwell time (mid-2024 onward), and stealthy internal pivots aligns with common state-aligned objectives: durable access, low noise, and operational flexibility for intelligence collection. Mandiant’s emphasis on Native AOT in GRIMBOLT also suggests an intent to harden tooling against reverse engineering and signature-based detections ¹.

7.2 Full MITRE ATT&CK Mapping (Observed Behaviors)

8. Mitigation Recommendations

8.1 Prioritized Hardening Actions

• Patch/remediate immediately according to Dell’s advisory guidance (including supported upgrade sequencing) ¹.
• Restrict management access: Enforce allowlists for Tomcat Manager and administrative interfaces; remove direct internet exposure ¹.
• Enable comprehensive logging: Forward RP4VM and VMware management logs to your SIEM; retain sufficient history to cover potential mid-2024 dwell time ¹.

8.2 Patch Management and Exploitation Signals

• Treat this as actively exploited (CISA KEV listing is a strong external signal of exploitation in the wild) ¹.
  • CISA KEV catalogue entry ¹
• Use the Dell advisory as the authoritative remediation source for affected versions:
  • Dell advisory for CVE-2026-22769 (DSA-2026-079) ¹

9. Historical Context & Related Vulnerabilities

Mandiant frames this campaign as an evolution of previously reported BRICKSTORM espionage activity, now extended with GRIMBOLT and VMware-focused pivoting innovations. The overlap discussion with UNC5221 (“Silk Typhoon” in some public reporting) highlights the ongoing challenge of cluster delineation when infrastructure, tooling, or access methods converge across PRC-aligned operations ¹.

10. Future Outlook

Expect UNC6201 (and similar clusters) to continue investing in:

• Appliance-resident malware optimized for constrained environments (e.g., Native AOT, reduced forensic artifacts) ¹.
• Stealth pivot mechanisms inside virtual networks (e.g., ephemeral ports/interfaces) ¹.
• Traffic gating and covert access controls (SPA-like patterns) to reduce detection and limit exposure ¹.

11. Further Reading

Primary Sources

• Mandiant/GTIG: From BRICKSTORM to GRIMBOLT — UNC6201 exploiting Dell RP4VM zero-day ¹
• Dell advisory for CVE-2026-22769 (DSA-2026-079) ¹
• NVD ¹
• CISA KEV catalogue entry ¹

Secondary Coverage (Context and Summaries)

• Cybersecurity Dive summary of exploitation and tooling ¹
• The Hacker News overview of CVE-2026-22769 and UNC6201 ¹