Everyone figured UNC6201 would stick to the usual – phishing edge devices, dropping basic backdoors. Lazy stuff. But no. These PRC-linked pros cracked a perfect 10.0 CVSS zero-day in Dell RecoverPoint for Virtual Machines. CVE-2026-22769. Mid-2024. That’s when the party started.
This changes everything. Lateral movement in virtualized environments? Suddenly trivial. Persistence? Ironclad. And Dell? Still shipping hard-coded admin creds like it’s 1999.
What the Hell is RecoverPoint Anyway?
Dell RecoverPoint. Fancy replication tech for VMs. Keeps your data mirrored across sites. Critical for disaster recovery – or, in this case, hacker playgrounds. UNC6201 spotted the Tomcat Manager flaw. Default creds in tomcat-users.xml. Admin login. Boom – upload malicious WAR, drop SLAYSTYLE webshell, own the box as root.
Mandiant discovered CVE-2026-22769 while investigating multiple Dell RecoverPoint for Virtual Machines within a victim’s environment that had active C2 associated with BRICKSTORM and GRIMBOLT backdoors.
Pathetic. Hard-coded creds? In enterprise gear? Dell, fix your shit.
Short version: Attackers hit /manager/text/deploy. Deploy shell. Escalate. Game over.
And here’s my hot take – this ain’t random. Remember Salt Typhoon’s telecom rampage last year? Same playbook: burrow into infra, ghost around. UNC6201’s just extending it to storage appliances. Prediction: VMware farms get hammered next. Twice as many ghosts by 2026.
BRICKSTORM to GRIMBOLT: The Malware Glow-Up
BRICKSTORM. Old reliable. But September 2025? Poof. Replaced by GRIMBOLT. C# beast, native AOT-compiled. No JIT nonsense. Packs UPX for extra obfuscation. Runs like a dream on starved appliances – no bloat, no metadata for RE tools to chew on.
Why switch? Mandiant poked the bear, maybe. Or evolution. GRIMBOLT hands over a remote shell, same C2 as big bro. Persistence? Hijack convert_hosts.sh, fired at boot via rc.local. Sneaky.
Unlike traditional .NET software that uses just-in-time (JIT) compilation at runtime, Native AOT-compiled binaries, introduced to .NET in 2022, are converted directly to machine-native code during compilation.
Smart. Complicates life for defenders. Static analysis? Good luck.
But let’s call bullshit on the PR spin. Dell’s advisory? Buried in jargon. Customers urged to ‘follow guidance.’ Yeah, no kidding. This was brewing for a year before patch.
Ghost NICs and iptables Shenanigans
Not content with Dell boxes. UNC6201 pivots to VMware. New tricks: ‘Ghost NICs.’ Fake network interfaces for stealthy hops. iptables for Single Packet Authorization. SPA? Think port-knocking on steroids – only authorized packets slip through.
Overlaps with UNC5221 (Silk Typhoon vibes, but GTIG says nah, separate). Either way, virtual infra’s the new frontier. Edge appliances were table stakes. Now they’re tunneling into your core VMs.
Look. Overlaps scream coordination. PRC nexus doesn’t do solo acts.
This sprawls into a nightmare: Compromise RecoverPoint → webshell → BRICKSTORM/GRIMBOLT → VMware pivot → full domain dom. Detection? Hunt web requests to Tomcat Manager. Anomalous WAR deploys. C2 to known UNC6201 infra.
Why Does Dell Get a Pass?
Hard-coded creds. In 2024? Come on. Tomcat Manager wide open. Admin username, guessable password. It’s like leaving your safe ajar with the combo taped inside.
Dell patched it. Good. But urgency? Lacking. Mandiant and GTIG handed this on a platter after IR gigs. Exploitation since mid-2024. Victims? Probably critical sectors – finance, gov, you name it.
My insight: This mirrors Shadow Brokers’ EternalBlue drop. Zero-days in trusted vendors erode trust fast. Dell’s rep takes a hit; enterprises rethink RecoverPoint. Shift to air-gapped replicas? Maybe.
Hardening tips – cuz Mandiant’s got ‘em. Disable Tomcat Manager if unused. Rotate creds yesterday. Monitor boot scripts. YARA for GRIMBOLT artifacts.
But here’s the dry humor: If your RecoverPoint’s still default-config, congrats – you’re patient zero for the sequel.
Is Your VMware Setup Next?
Yes. Mandiant saw continued VMware hits. CrowdStrike, CISA echoes. New TTPs confirm it. Ghost NICs? Genius for evasion. iptables SPA blocks scanners cold.
Question everyone’s expecting: UNC6201 vs. UNC5221? GTIG splits hairs, but TTPs scream family reunion. PRC’s got layers.
Bold call – expect GRIMBOLT variants in Hyper-V, Nutanix next. Virtualization’s the soft underbelly. Patch stacks or pray.
Actionable? IOCs in the Mandiant post. C2 domains. Hashes. Hunt ‘em.
Victims scrambling. IR firms billing hours. Dell issuing urgent advisories. Theater.
🧬 Related Insights
- Read more: Chaos Malware’s Bold Leap: From Routers to Cloud Servers
- Read more: Apple’s Surprise iOS 18.7.7 Rollout Shields Older iPhones from DarkSword Onslaught
Frequently Asked Questions
What is CVE-2026-22769?
Zero-day in Dell RecoverPoint for VMs. CVSS 10.0. Allows root via Tomcat Manager creds. Exploited mid-2024.
How does GRIMBOLT differ from BRICKSTORM?
GRIMBOLT’s C# AOT-compiled, UPX-packed. Faster, stealthier on appliances. Same C2, remote shell. Persistence via boot scripts.
Is Dell RecoverPoint safe after the patch?
Patched, yes. But check configs – no defaults. Monitor for ghosts. VMware pivots still a risk.
