Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportThe China-nexus threat cluster UNC6201 has been actively exploiting a critical Dell RecoverPoint zero-day vulnerability (CVE-2026-22769) since mid-2024, targeting Dell RecoverPoint for Virtual Machines. This CVE-2026-22769 vulnerability enables unauthenticated root-level access to trusted infrastructure appliances through hard-coded default credentials in the Apache Tomcat Manager component. The UNC6201 threat actor demonstrated significant overlaps with UNC5221 (also identified as Silk Typhoon), and this Dell RecoverPoint exploitation activity is assessed as part of a broader PRC-aligned intelligence collection campaign targeting government agencies and critical U.S. infrastructure networks.
The Dell RecoverPoint zero-day attack persisted undetected for over a year, highlighting critical monitoring gaps in internal infrastructure security. UNC6201 deployed multiple malware families including SLAYSTYLE, BRICKSTORM, and the newly discovered GRIMBOLT backdoor, demonstrating sustained capability development and advanced stealth-focused tradecraft. The CVE-2026-22769 vulnerability received a maximum CVSS score of 10.0, reflecting the severity of this Dell RecoverPoint security flaw and the urgent need for organizations to patch their Dell RecoverPoint for Virtual Machines deployments.
UNC6201 exploited the CVE-2026-22769 vulnerability in Dell RecoverPoint for Virtual Machines to gain unauthorized access since at least mid-2024. The Dell RecoverPoint vulnerability stems from hard-coded default credentials for the administrative account in the embedded Apache Tomcat Manager component, allowing remote attackers to achieve unauthenticated access. Successful exploitation of this Dell RecoverPoint zero-day enables attackers to upload malicious payloads and execute root-level commands on the Dell RecoverPoint appliance, which typically resides in trusted and sensitive network segments.
The CVE-2026-22769 exploitation provided UNC6201 with a powerful initial access vector into Dell RecoverPoint environments, enabling the threat actor to establish a foothold in critical infrastructure typically used for disaster recovery and data protection operations. This Dell RecoverPoint zero-day attack targeted Linux and VMware ESXi/vCenter platforms running Dell RecoverPoint for Virtual Machines globally.
Following initial Dell RecoverPoint compromise, UNC6201 deployed the SLAYSTYLE Java web shell to establish persistence and facilitate additional payload delivery. The SLAYSTYLE web shell enabled the UNC6201 threat actor to maintain persistent access to compromised Dell RecoverPoint appliances and execute commands remotely. Earlier Dell RecoverPoint intrusions by UNC6201 leveraged the BRICKSTORM backdoor, while more recent CVE-2026-22769 exploitation activity introduced GRIMBOLT, a sophisticated backdoor written in C# and compiled using Native AOT to remove intermediate language metadata.
GRIMBOLT represents an evolution in UNC6201 malware capabilities, featuring UPX packing and WebSocket-based command-and-control communications. The GRIMBOLT backdoor communicates with the same command-and-control infrastructure used by BRICKSTORM, indicating sustained operational investment in the Dell RecoverPoint zero-day campaign. UNC6201 modified the legitimate boot-time script convert_hosts.sh, executed via rc.local, to ensure malware execution upon Dell RecoverPoint appliance reboot, demonstrating disciplined persistence tradecraft.
UNC6201 demonstrated advanced lateral movement capabilities following Dell RecoverPoint exploitation. The threat actor created temporary virtual network adapters, referred to as “Ghost NICs,” on existing virtual machines running on ESXi hosts to pivot into internal networks and SaaS environments while minimizing forensic artifacts. This Ghost NIC technique enabled UNC6201 to move laterally from compromised Dell RecoverPoint appliances into broader virtualized infrastructure without triggering conventional network monitoring controls.
On compromised vCenter appliances, UNC6201 implemented iptables-based single packet authorization to restrict GRIMBOLT backdoor access on port 10443 to pre-authenticated source IP addresses within limited time windows. This advanced evasion technique effectively prevented scanning and network monitoring systems from detecting the Dell RecoverPoint backdoor, contributing to the campaign’s extended undetected operation period. The CVE-2026-22769 exploitation campaign demonstrates UNC6201’s sophisticated understanding of VMware infrastructure and Dell RecoverPoint environments.
UNC6201 shows notable overlaps with UNC5221 (also reported as Silk Typhoon), a threat cluster previously linked to campaigns targeting government agencies with custom malware and known for embedding within critical U.S. infrastructure networks. While the clusters are not currently assessed as identical, the similarities in Dell RecoverPoint targeting, malware deployment, and stealth tradecraft suggest potential coordination or shared resources within PRC-aligned cyber operations.
The sustained Dell RecoverPoint zero-day exploitation effort by UNC6201 reflects characteristics of state-sponsored intelligence collection operations, including patient long-term access maintenance, development of custom malware like GRIMBOLT, and targeting of trusted infrastructure appliances that provide access to sensitive data and critical systems. The CVE-2026-22769 campaign aligns with broader patterns of PRC-aligned threat actor activity focused on establishing persistent access to strategic infrastructure for intelligence gathering purposes.
Organizations must immediately apply the Dell security remediation for CVE-2026-22769 available in Dell Security Advisory DSA-2026-079. All Dell RecoverPoint for Virtual Machines deployments should be patched urgently to address the hard-coded credential vulnerability in the Apache Tomcat Manager component. Change all default and hard-coded credentials on Dell RecoverPoint appliances, disable or strictly restrict access to the Tomcat Manager interface, and verify that appliances are running the latest supported Dell RecoverPoint firmware version.
The CVE-2026-22769 vulnerability represents a critical security risk with maximum CVSS 10.0 severity, and organizations should prioritize Dell RecoverPoint patching as an emergency security measure. Review Dell RecoverPoint deployment configurations to ensure management interfaces are not exposed to broad network segments and implement multi-factor authentication where supported.
Conduct thorough forensic reviews of all Dell RecoverPoint for Virtual Machines instances to identify signs of UNC6201 compromise. Inspect Dell RecoverPoint Tomcat Manager audit logs located at /home/kos/auditlog/fapi_cl_audit_log.log for unauthorized deployment requests or suspicious access patterns. Check for unexpected WAR files in /var/lib/tomcat9 and compiled artifacts in /var/cache/tomcat9/Catalina that may indicate SLAYSTYLE web shell deployment.
Verify the integrity of /home/kos/kbox/src/installation/distribution/convert_hosts.sh for unauthorized modifications that could indicate persistence mechanism installation by UNC6201. Examine /home/kos/tomcat9/tomcat-users.xml for evidence of credential tampering. Organizations should assume Dell RecoverPoint compromise if any indicators are found and initiate incident response procedures, including isolation of affected appliances and comprehensive threat hunting across related infrastructure.
Audit VMware ESXi and vCenter environments for unauthorized changes to virtual machine network configurations that may indicate lateral movement following Dell RecoverPoint exploitation. Review for creation of unexpected virtual network adapters or Ghost NICs that UNC6201 used to pivot into internal networks. Examine vCenter appliance iptables rules for anomalous NAT or traffic redirection entries, particularly rules referencing non-standard ports such as 10443 used by the GRIMBOLT backdoor.
Monitor VMware infrastructure logs for suspicious administrative activities, unauthorized virtual machine modifications, or network configuration changes originating from Dell RecoverPoint appliance IP addresses. Implement enhanced logging and alerting for VMware management operations to detect potential lateral movement from compromised Dell RecoverPoint systems.
Ensure that Dell RecoverPoint management interfaces, Tomcat Manager, vCenter, and ESXi administrative consoles are not exposed to broad network segments. Implement strict network segmentation and firewall rules to limit Dell RecoverPoint management access exclusively to authorized administrative hosts. Apply zero-trust network architecture principles to Dell RecoverPoint deployments, requiring authentication and authorization for all administrative operations.
Remove Dell RecoverPoint appliances from internet-accessible network segments and implement jump servers or privileged access workstations for all administrative access. Configure network monitoring to alert on unusual connection patterns to Dell RecoverPoint management interfaces, particularly WebSocket connections that may indicate GRIMBOLT or BRICKSTORM backdoor communications.
Deploy detection rules and indicators of compromise for UNC6201 malware including GRIMBOLT, BRICKSTORM, and SLAYSTYLE across endpoint detection and response platforms. Incorporate published YARA rules for these malware families into security monitoring workflows. Conduct proactive threat hunting for the eight malware file hashes associated with the CVE-2026-22769 campaign and monitor for network communications to the identified command-and-control IP address 149.248.11.71.
Monitor for WebSocket-based command-and-control communications from Dell RecoverPoint appliances and VMware infrastructure components. Implement detection for DNS-over-HTTPS activity from Dell RecoverPoint systems, as this may indicate covert communications. Establish baseline behavior profiles for Dell RecoverPoint appliances and alert on deviations such as unexpected outbound connections, unusual process executions, or modifications to system files.
Audit rc.local and associated boot-time scripts across all Linux-based appliances in the environment, with particular focus on Dell RecoverPoint systems. Establish file integrity monitoring for critical startup scripts including convert_hosts.sh and implement alerting for any unauthorized modifications. Create baseline checksums for legitimate boot scripts and regularly validate against these baselines to detect persistence mechanism installation.
Review all startup mechanisms on Dell RecoverPoint appliances and implement change control procedures requiring approval and documentation for any legitimate modifications. The CVE-2026-22769 campaign demonstrates that UNC6201 specifically targets boot persistence, making this a critical detection and prevention focus area for organizations running Dell RecoverPoint for Virtual Machines.
The following SHA256 hashes are associated with UNC6201 malware deployed during Dell RecoverPoint CVE-2026-22769 exploitation:
Organizations should search for these file hashes across Dell RecoverPoint appliances, VMware infrastructure, and connected systems to identify potential compromise.
Command-and-Control IP Address: 149.248.11.71
Monitor for network connections from Dell RecoverPoint appliances to this IP address, particularly WebSocket communications that may indicate GRIMBOLT or BRICKSTORM backdoor activity.
Key file paths associated with UNC6201 compromise of Dell RecoverPoint systems:
Get through updates and upcoming events, and more directly in your inbox