Executive Summary

On February 18, 2026, Mandiant and Google Threat Intelligence Group (GTIG) disclosed a long-running cyberespionage campaign by a suspected China-nexus threat actor tracked as UNC6201. The actor has been exploiting a critical zero-day vulnerability, CVE-2026-22769, in Dell RecoverPoint for Virtual Machines since at least mid-2024. This vulnerability, which involves hard-coded credentials, allows unauthenticated remote attackers to gain root-level access to affected appliances. The primary objective of the campaign appears to be espionage, focusing on gaining persistent access to VMware environments. The actor deployed a novel backdoor named GRIMBOLT for long-term access and data exfiltration. Dell has issued a patch, and organizations using the affected product are urged to apply it immediately due to active in-the-wild exploitation.

Vulnerability Details

CVE-2026-22769 is a critical vulnerability in Dell RecoverPoint for Virtual Machines versions prior to 6.0. The flaw, rated with a CVSS score of 10.0, is due to hard-coded credentials for the admin user. These credentials are stored in the /home/kos/tomcat9/tomcat-users.xml file on the appliance's underlying operating system.

An unauthenticated remote attacker with knowledge of these default credentials can authenticate to the Apache Tomcat Manager service running on the appliance. This allows the attacker to upload malicious Web Application Archive (.war) files, effectively achieving remote code execution with root privileges. The ease of exploitation and the high level of access granted make this a particularly dangerous vulnerability.

Threat Overview

The threat actor UNC6201 has demonstrated sophistication and patience, operating undetected for a significant period. The attack chain is as follows:

1. Initial Access: The actor scans for and identifies vulnerable Dell RecoverPoint appliances exposed to the internet or accessible from a compromised network segment.
2. Exploitation: Using the hard-coded credentials, the actor authenticates to the Tomcat Manager interface.
3. Payload Delivery: A malicious .war file containing a Java-based web shell, named SLAYSTYLE, is uploaded and deployed.
4. Command and Control: The SLAYSTYLE web shell provides the actor with the ability to execute arbitrary commands on the system as the root user.
5. Persistence and Lateral Movement: The actor uses this initial foothold to install more persistent backdoors. Initially, a backdoor known as BRICKSTORM was used. Starting in September 2025, UNC6201 began deploying a new, more advanced backdoor named GRIMBOLT.

GRIMBOLT is a C# backdoor compiled using Native Ahead-of-Time (AOT) and packed with UPX, making it difficult to analyze. To ensure persistence, the actor modifies the /home/kos/kbox/src/installation/distribution/convert_hosts.sh script, a legitimate system script that executes on boot.

Researchers have noted overlaps between UNC6201 and another China-linked group, UNC5221 (also known as Silk Typhoon), which has also been observed using the BRICKSTORM malware.

Technical Analysis

MITRE ATT&CK TTPs

• T1190 - Exploit Public-Facing Application: Exploitation of the vulnerability in the internet-facing Dell RecoverPoint appliance.
• T1078.001 - Default Accounts: Use of hard-coded credentials for the 'admin' user to gain initial access.
• T1105 - Ingress Tool Transfer: Uploading the malicious SLAYSTYLE .war file to the Tomcat server.
• T1505.003 - Server Software Component: Web Shell: The SLAYSTYLE malware functions as a web shell for command execution.
• T1037.004 - RC Scripts: The actor modified the convert_hosts.sh boot script to establish persistence for the GRIMBOLT backdoor.
• T1027 - Obfuscated Files or Information: The GRIMBOLT backdoor was packed with UPX to evade detection and hinder analysis.
• T1059.004 - Command and Scripting Interpreter: Unix Shell: Execution of commands via the web shell and modification of shell scripts for persistence.

Impact Assessment

The exploitation of CVE-2026-22769 poses a severe risk to organizations. Dell RecoverPoint is a critical component of disaster recovery and business continuity strategies. A compromise of this system can lead to:

• Complete System Takeover: Attackers gain root access, allowing them to control the entire appliance.
• Espionage and Data Theft: The primary motive of UNC6201 is espionage. Attackers can exfiltrate sensitive data stored within backups or use the compromised appliance as a pivot point to move laterally into the broader VMware virtualized environment.
• Ransomware and Sabotage: While this campaign is focused on espionage, a compromised recovery appliance could be used by other actors to delete or encrypt backups, rendering an organization unable to recover from a ransomware attack or other catastrophic failure.
• Supply Chain Risk: As the appliance manages backups for virtual machines, the compromise could potentially extend to the integrity of VM snapshots and replicated data.

Cyber Observables for Detection

Security teams should hunt for the following indicators:

Detection & Response

• Log Analysis: Review Tomcat access logs (localhost_access_log.txt) and manager logs (manager.*.log) for successful authentications to the /manager/html interface from unexpected IP ranges. Look for PUT requests for .war files.
• File Integrity Monitoring (FIM): Implement FIM on critical system scripts, particularly /home/kos/kbox/src/installation/distribution/convert_hosts.sh, to detect unauthorized modifications.
• Network Monitoring: Monitor all network traffic to and from Dell RecoverPoint appliances. Since these are typically internal-facing, any direct communication with external IP addresses should be considered highly suspicious and investigated immediately. Reference D3FEND technique D3-NTA - Network Traffic Analysis.
• Endpoint Detection and Response (EDR): If possible, deploy EDR agents on the underlying OS of the appliance to monitor for suspicious process execution, such as a java process spawning a shell.

Mitigation

• Patch Immediately: The most critical action is to apply the security update provided by Dell to remediate CVE-2026-22769. D3FEND refers to this as D3-SU - Software Update.
• Network Segmentation: Restrict network access to the Dell RecoverPoint management interface. It should only be accessible from a dedicated management subnet or specific trusted administrative hosts. Do not expose this interface to the internet. This aligns with D3FEND's D3-NI - Network Isolation.
• Credential Management: Audit all infrastructure appliances for default or hard-coded credentials. Implement policies to change default passwords upon deployment. This is a form of D3FEND's D3-ACH - Application Configuration Hardening.
• Assume Compromise: Given the long duration of this campaign, organizations with vulnerable, internet-exposed appliances should assume they are compromised and initiate incident response procedures, including hunting for the GRIMBOLT and SLAYSTYLE malware.