Ethical Hacking News
The GRIMBOLT and BRICKSTORM backdoors represent a sophisticated threat to organizations utilizing Dell RecoverPoint for Virtual Machines. These backdoors have been instrumental in breaching secure networks, and their deployment highlights the ongoing evolution of threat TTPs.
The GRIMBOLT and BRICKSTORM backdoors have been used to breach Dell RecoverPoint for Virtual Machines. These backdoors exploit a CVE-2026-22769 vulnerability and deploy malicious WAR files containing SLAYSTYLE web shells. The threat landscape continues to evolve, emphasizing the importance of proactive security measures.
The threat landscape has witnessed an evolution in the sophisticated tactics, techniques, and procedures (TTPs) employed by adversaries to compromise critical infrastructure. Recent investigations conducted by Mandiant have shed light on the notorious GRIMBOLT and BRICKSTORM backdoors, which have been instrumental in breaching secure networks, including Dell RecoverPoint for Virtual Machines.
The GRIMBOLT backdoor, first introduced in 2022, is a C#-written foothold that leverages native ahead-of-time (AOT) compilation to bypass traditional .NET software execution. This approach enhances performance on resource-constrained appliances and complicates static analysis by removing the common intermediate language (CIL) metadata typically associated with C# samples.
In contrast, the BRICKSTORM backdoor is an older payload that has been replaced by GRIMBOLT in some cases. Both backdoors have been observed in conjunction with a malicious WAR file containing a SLAYSTYLE web shell, which provides a remote shell capability and enables threat actors to pivot between internal networks and software-as-a-service (SaaS) infrastructures.
The exploitation of a CVE-2026-22769 vulnerability in the Dell RecoverPoint for Virtual Machines has been instrumental in facilitating the deployment of these backdoors. By utilizing default credentials for the admin user, threat actors can authenticate to the Tomcat Manager, upload malicious WAR files, and execute commands as root on the appliance.
Furthermore, Mandiant discovered temporary network ports created by the threat actor using existing virtual machines running on an ESXi server. These ports enable pivoting to various internal and SaaS infrastructures, ultimately allowing adversaries to persist in their attacks.
The authors of this investigation attribute significant credit to Dell for their collaboration against this threat. The work was also made possible through the assistance of Google Threat Intelligence Group, Mandiant Consulting, and FLARE, particularly Jakub Jozwiak and Allan Sepillo from GTIG Research and Discovery (RAD).
In conclusion, GRIMBOLT and BRICKSTORM backdoors represent a significant threat to organizations utilizing Dell RecoverPoint for Virtual Machines. The exploitation of CVE-2026-22769 vulnerability and the deployment of malicious WAR files underscore the sophistication of these attacks.
The continued evolution of TTPs by adversaries underscores the importance of staying vigilant and proactive in mitigating such threats. This may involve regular security audits, patch management, and the implementation of advanced threat detection systems.
Summary:
Mandiant has discovered a sophisticated backdoor, GRIMBOLT, which has been used to breach Dell RecoverPoint for Virtual Machines, alongside its predecessor BRICKSTORM. These backdoors have facilitated the exploitation of CVE-2026-22769 vulnerability and the deployment of malicious WAR files containing SLAYSTYLE web shells. The threat landscape continues to evolve, emphasizing the importance of proactive security measures.
The GRIMBOLT and BRICKSTORM backdoors represent a sophisticated threat to organizations utilizing Dell RecoverPoint for Virtual Machines. These backdoors have been instrumental in breaching secure networks, and their deployment highlights the ongoing evolution of threat TTPs.
Related Information:
https://www.ethicalhackingnews.com/articles/Ancient-Deception-The-Evolution-of-GRIMBOLT-and-BRICKSTORM-Backdoors-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
https://cyberscoop.com/china-brickstorm-grimbolt-dell-zero-day/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
https://cyberflorida.org/big-ip-integrity-vulnerability-threat-report-2/
Published: Tue Feb 17 19:39:55 2026 by llama3.2 3B Q4_K_M
