For the past 18 months, a Chinese cyberespionage group has been taking advantage of a previously unknown vulnerability in Dell’s RecoverPoint for Virtual Machines, a disaster recovery solution for virtual machines. This flaw, patched by Dell this week, allows unauthenticated attackers to execute commands on the operating system as root.
The vulnerability, identified as CVE-2026-22769, is a result of hardcoded admin credentials for the Apache Tomcat Manager. These credentials can be exploited to deploy malicious WAR (Web Application Archive) files. Apache Tomcat serves as a web server for Java-based applications.
Researchers from Google’s Mandiant team discovered this critical vulnerability while examining several compromised Dell RecoverPoint instances that were sending command-and-control (C2) traffic linked to two backdoors known as BRICKSTORM and GRIMBOLT. These backdoors are utilized by a China-linked advanced persistent threat (APT) group tracked by Mandiant as UNC6201, which is known for targeting VMware-related enterprise infrastructure.
Vulnerability Affects Multiple Versions
Dell RecoverPoint for Virtual Machines serves as a data replication and protection appliance for VMware environments, making it an appealing target for this group. The vulnerability impacts versions 5.3 SP4 P1, 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1. Customers are urged to upgrade to the patched 6.0.3.1 HF1 version, but Dell has also released a remediation script for those unable to upgrade immediately.
Attackers Upgrade from BRICKSTORM to GRIMBOLT
UNC6201’s activities have considerable overlap with another group tracked by Mandiant and Google’s Threat Intelligence Group (GTIG) as UNC5221, known for targeting network-edge appliances using zero-day exploits. Some security firms attribute this activity to the state-sponsored hacker group Silk Typhoon or APT27, though Google believes it to be a different threat actor.
Over the past few years, UNC5221 has compromised networks of US legal services firms, SaaS providers, business process outsourcers, and technology companies. They have deployed the Linux backdoor BRICKSTORM and a web shell called SLAYSTYLE, which has been installed on compromised vCenter deployments.
Both BRICKSTORM and SLAYSTYLE have been detected in the recent Dell RecoverPoint breaches attributed to UNC6201, but the threat actor has also introduced a new backdoor named GRIMBOLT.
According to Mandiant researchers, “GRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX. It provides a remote shell capability and uses the same command and control as the previously deployed BRICKSTORM payload.”
Evidence suggests that UNC6201 began exploiting CVE-2026-22769 around mid-2024 to deploy the SLAYSTYLE web shell. However, the transition from BRICKSTORM to GRIMBOLT did not occur until September 2025. It remains unclear whether this change was a strategic decision or a response to BRICKSTORM being exposed by Mandiant and other security firms at that time.
New Pivot Techniques Discovered
The investigation revealed not only the payloads but also new techniques employed by the attackers. For instance, a legitimate shell script called convert_hosts.sh found on these appliances was modified to include the paths of the backdoors, allowing for persistence.
The SLAYSTYLE web shell, designed to receive commands over HTTP, was utilized to establish proxy rules using the Linux iptables utility. Specifically, it redirected incoming traffic on port 443 (HTTPS) containing a particular HEX string to port 10443 for a period of five minutes.
Another novel technique involved creating temporary network ports on existing virtual machines on VMware ESXi servers to access other services within the environments.
Charles Carmakal, CTO at Mandiant, described this technique on LinkedIn as deploying “ghost NICs on virtual machines to evade defenders.” This strategy caused investigators to chase network activity from IP addresses that were no longer active and had never been documented.
Network-edge appliances have become a common entry point for sophisticated attackers into enterprise networks. These devices are often not covered by logging solutions, lack endpoint malware detection, and contain a wealth of credentials, making them ideal for pivoting to internal services.
Dell advises that RecoverPoint for VMs should be deployed within a trusted, access-controlled network, behind appropriate firewalls and segmentation, rather than on public-facing infrastructure. The Mandiant blog post includes indicators of compromise and YARA detection rules for the new GRIMBOLT and SLAYSTYLE payloads.
