Ethical Hacking News
A suspected China-linked APT group has weaponized a critical zero-day vulnerability in Dell RecoverPoint since mid-2024, exploiting it to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and GRIMBOLT. Organizations are urged to apply Dell's recommended remediation measures to address the hardcoded credential vulnerability in their systems.
A suspected Chinese state-linked group, UNC6201, weaponized a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines starting from mid-2024. The exploit takes advantage of a hardcoded credential vulnerability in Dell RecoverPoint prior to version 6.0.3.1 HF1, allowing unauthorized access and persistent exploitation. UNC6201 has been observed utilizing advanced tactics, including stealthy VMware pivoting and malware deployment, with tools like SLAYSTYLE and BRICKSTORM. The group replaced BRICKSTORM with a novel backdoor, GRIMBOLT, which offers remote shell access and reuses previously deployed command-and-control channels. Organizations are advised to prioritize prompt remediation measures for Dell RecoverPoint systems to address the hardcoded credential vulnerability and mitigate potential attacks.
A recent revelation by Mandiant and Google's Threat Intelligence Group (GTIG) sheds light on the ingenious tactics employed by a suspected Chinese state-linked group, known as UNC6201, which weaponized a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines starting from mid-2024. This vulnerability, tracked as CVE-2026-22769, has garnered significant attention due to its severity and potential impact on the security posture of various organizations worldwide.
The exploit, attributed to this China-nexus group, takes advantage of a hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines prior to version 6.0.3.1 HF1. This flaw allows an unauthenticated remote attacker with knowledge of the hardcoded credential to gain unauthorized access to the underlying operating system and maintain persistent access. The severity of this vulnerability is attributed to its CVSSv3.1 score of 10.0, making it a high-risk vulnerability.
The China-linked APT group, identified as UNC6201, has been observed utilizing advanced tactics in their attacks, including stealthy VMware pivoting via "Ghost NICs" and Single Packet Authorization with iptables. They have also deployed malware such as SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT. The latter provides remote shell access and reuses the command-and-control channels of previously deployed BRICKSTORM payload.
Mandiant researchers discovered that attackers replaced BRICKSTORM with GRIMBOLT in September 2025, which is compiled using Native AOT and packed with UPX. This backdoor offers a remote shell capability and has been observed to be used by the threat actor to maintain persistence in compromised Dell RecoverPoint systems.
The attackers ensured persistence by modifying a legitimate startup script so that the GRIMBOLT backdoor runs automatically at boot. During investigations into compromised Dell RecoverPoint appliances, Mandiant uncovered CVE-2026-22769 after spotting Tomcat Manager access using hardcoded admin credentials. Attackers uploaded a malicious WAR file containing the SLAYSTYLE web shell, gaining root command execution as early as mid-2024.
The group also expanded into VMware environments, creating "Ghost NICs" for stealthy lateral movement and utilizing iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances. Furthermore, Google released Indicators of Compromise (IOCs) and Yara rules for this campaign.
In light of this emerging threat landscape, organizations are advised to prioritize the prompt application of Dell's recommended remediation measures to address the hardcoded credential vulnerability in their Dell RecoverPoint systems. This proactive measure will help mitigate the risk of unauthorized access and ensure that critical data remains protected from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-a-Sophisticated-Phishing-Campaign-The-China-Linked-APT-Exploitation-of-Dell-RecoverPoint-Zero-Day-Vulnerability-ehn.shtml
https://securityaffairs.com/188176/apt/china-linked-apt-weaponized-dell-recoverpoint-zero-day-since-2024.html
https://explainitagain.wixsite.com/explain-it-again/post/apt-exploits-dell-recoverpoint-zero-day-since-2024
https://nvd.nist.gov/vuln/detail/CVE-2026-22769
https://www.cvedetails.com/cve/CVE-2026-22769/
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
https://security.googlecloudcommunity.com/security-validation-5/vhr20250917-september-17-2025-5871
https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-and-partners-release-update-malware-analysis-report-brickstorm-backdoor
https://www.securityweek.com/dell-recoverpoint-zero-day-exploited-by-chinese-cyberespionage-group/
https://www.secpod.com/blog/backdoor-in-backup-unc6201-exploits-recoverpoint-zero-day-to-deploy-grimbolt/
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
https://www.csoonline.com/article/4134158/chinese-hackers-exploited-zero-day-dell-recoverpoint-flaw-for-1-5-years.html
Published: Thu Feb 19 01:14:41 2026 by llama3.2 3B Q4_K_M
