Full Report
A critical zero-day vulnerability, tracked as CVE-2026-22769, is being actively exploited in Dell Technologies’ RecoverPoint for Virtual Machines. According to Mandiant and Google Threat Intelligence Group (GTIG), the flaw carries a perfect score severity score of 10, and has been weaponized by a Chinese threat cluster, identified as UNC6201. Dell RecoverPoint for Virtual Machines is designed to manage backup and disaster recovery for VMware virtual machines. However, exploitation of CVE-2026-22769 enables unauthenticated attackers to gain access to the underlying system and maintain root-level persistence through a hardcoded credential weakness. How CVE-2026-22769 Was Exploited During multiple incident response engagements, Mandiant and GTIG determined that UNC6201 had been exploiting CVE-2026-22769 since at least mid-2024. The vulnerability stems from hardcoded default credentials embedded in configuration files associated with Apache Tomcat Manager on Dell RecoverPoint appliances. Investigators found the credentials in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, attackers could authenticate to the Tomcat Manager interface and deploy malicious WAR files via the /manager/text/deploy endpoint. In observed cases, this resulted in the installation of a SLAYSTYLE web shell. Also read: Chinese Hackers Weaponize Claude AI to Execute First Autonomous Cyber Espionage Campaign at Scale Web logs stored in /home/kos/auditlog/fapi_cl_audit_log.log revealed suspicious requests to /manager, particularly PUT /manager/text/deploy?path=/&update=true. Uploaded WAR files were typically located in /var/lib/tomcat9, with compiled artifacts found in /var/cache/tomcat9/Catalina. Analysts were advised to investigate Tomcat logs under /var/log/tomcat9/, including Catalina events such as org.apache.catalina.startup.HostConfig.deployWAR. The earliest confirmed exploitation of CVE-2026-22769 dates back to mid-2024. UNC6201’s Malware Evolution: From BRICKSTORM to GRIMBOLT The campaign tied to UNC6201 shows a notable evolution in tooling. Initially, attackers deployed BRICKSTORM malware. However, in September 2025, investigators observed older BRICKSTORM binaries being replaced with a newly identified backdoor called GRIMBOLT. GRIMBOLT, written in C# and compiled using native ahead-of-time (AOT) compilation, represents a tactical shift. Unlike traditional .NET software that relies on just-in-time (JIT) compilation, native AOT binaries are compiled directly to machine code. Introduced to .NET in 2022, this method enhances performance on resource-constrained appliances like Dell RecoverPoint systems and complicates static analysis by eliminating common intermediate language (CIL) metadata. GRIMBOLT was also packed with UPX and provided remote shell capabilities while using the same command-and-control infrastructure previously associated with BRICKSTORM. Investigators could not determine whether the shift to GRIMBOLT was pre-planned or a reaction to incident response efforts by Mandiant and other industry partners. Persistence mechanisms were established by modifying a legitimate shell script, /home/kos/kbox/src/installation/distribution/convert_hosts.sh, which executes at boot via rc.local. The attackers appended the backdoor path to this script to ensure continued access. Broader VMware Pivoting and New Tactics Beyond exploiting CVE-2026-22769 in Dell RecoverPoint, UNC6201 expanded its operations into VMware environments. Although the initial access vector was not confirmed, the actor is known to target edge appliances such as VPN concentrators. Mandiant documented the creation of “Ghost NICs,” temporary network interfaces added to virtual machines on ESXi servers. These interfaces enabled stealthy pivoting into internal and SaaS infrastructure. In compromised vCenter appliances, analysts recovered iptables commands executed via the SLAYSTYLE web shell. These commands implemented Single Packet Authorization (SPA) by: Monitoring port 443 for a specific hexadecimal string Adding the source IP to an approved list Allowing connections to port 10443 if the IP was listed Redirecting traffic from port 443 to 10443 for 300 seconds This redirection mechanism facilitated covert access while limiting exposure. Indicators of Compromise Linked to CVE-2026-22769 and UNC6201 Several malware samples and network indicators were tied to the campaign: GRIMBOLT Files support — SHA256: 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c out_elf_2 — SHA256: dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591 SLAYSTYLE default_jsp.java — SHA256: 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a BRICKSTORM Samples SHA256: aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 splisten — SHA256: 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df Additional hashes: 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830 Network Indicators C2 Endpoint: wss://149.248.11.71/rest/apisession C2 IP: 149.248.11.71 YARA rules released by GTIG include: G_APT_BackdoorToehold_GRIMBOLT_1 G_Hunting_BackdoorToehold_GRIMBOLT_1 G_APT_BackdoorWebshell_SLAYSTYLE_4
Analysis Summary
# Incident Report: Exploitation of CVE-2026-22769 in Dell RecoverPoint for VMs
## Executive Summary
A critical zero-day vulnerability (CVE-2026-22769) with a CVSS score of 10.0 was exploited by the Chinese threat group UNC6201 to compromise Dell Technologies’ RecoverPoint for Virtual Machines. The attackers utilized hardcoded credentials to deploy multiple backdoors, including a novel native AOT-compiled malware called GRIMBOLT, to maintain root-level persistence and pivot into VMware ESXi and vCenter environments.
## Incident Details
- **Discovery Date:** September 2025 (Initial detection of GRIMBOLT)
- **Incident Date:** Mid-2024 to Late 2025
- **Affected Organization:** Users of Dell RecoverPoint for Virtual Machines
- **Sector:** Cross-sector (Disaster Recovery/Infrastructure)
- **Geography:** Global (Linked to Chinese espionage operations)
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-2024 (Earliest confirmed activity)
- **Vector:** Hardcoded Credentials (CVE-2026-22769)
- **Details:** Attackers used default credentials found in `/home/kos/tomcat9/tomcat-users.xml` to access the Apache Tomcat Manager interface.
### Lateral Movement
- **Progression:** Attackers moved from the Dell RecoverPoint appliance to VMware ESXi servers and vCenter appliances by utilizing temporary "Ghost NICs" and the SLAYSTYLE web shell.
### Data Exfiltration/Impact
- **Impact:** High-level persistence (Root) and internal network pivoting. The campaign enabled stealthy access to internal and SaaS infrastructure through Single Packet Authorization (SPA) redirection.
### Detection & Response
- **Discovery:** Mandiant and Google Threat Intelligence Group (GTIG) identified the activity during multiple IR engagements.
- **Response Actions:** Release of YARA rules for GRIMBOLT and SLAYSTYLE; advisory issued to audit Tomcat and audit logs.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-22769 (Hardcoded credentials in Tomcat Manager).
- **Persistence:** Modified `/home/kos/kbox/src/installation/distribution/convert_hosts.sh` (executed via rc.local at boot).
- **Privilege Escalation:** Direct root access via hardcoded credential weakness.
- **Defense Evasion:** Use of Native Ahead-of-Time (AOT) compilation for GRIMBOLT to eliminate CIL metadata; UPX packing; "Ghost NICs" for stealthy pivoting; Single Packet Authorization (SPA) via iptables to hide C2 traffic.
- **Credential Access:** Hardcoded default credentials in configuration files.
- **Discovery:** Reconnaissance of edge appliances like VPN concentrators.
- **Lateral Movement:** SPA-based port redirection (443 to 10443) and Ghost NIC creation on ESXi.
- **Impact:** Complete system compromise of disaster recovery infrastructure.
## Impact Assessment
- **Financial:** Not disclosed; significant IR and remediation costs anticipated.
- **Data Breach:** Espionage-focused; targeted internal and SaaS infrastructure access.
- **Operational:** Vulnerability in critical disaster recovery and backup management systems.
- **Reputational:** High-severity impact for Dell due to a "perfect 10" vulnerability stemming from hardcoded credentials.
## Indicators of Compromise
### Network Indicators
- **C2 IP:** 149.248.11[.]71
- **C2 Endpoint:** wss://149.248.11[.]71/rest/apisession
### File Indicators (SHA-256)
- **GRIMBOLT:** 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
- **SLAYSTYLE:** 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
- **BRICKSTORM:** aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
### Behavioral Indicators
- Unusual PUT requests to `/manager/text/deploy?path=/&update=true`
- Modifications to `convert_hosts.sh`
- Unexplained "Ghost NIC" interfaces on ESXi hosts
- `org.apache.catalina.startup.HostConfig.deployWAR` events in Tomcat logs
## Response Actions
- **Containment:** Investigation of Tomcat web logs and `fapi_cl_audit_log.log`.
- **Eradication:** Deployment of YARA rules to identify and remove BRICKSTORM, GRIMBOLT, and SLAYSTYLE.
- **Recovery:** Restoration of compromised shell scripts and removal of malicious WAR files from `/var/lib/tomcat9`.
## Lessons Learned
- **Credential Management:** Hardcoded credentials in third-party integrations (Apache Tomcat) remain a high-risk entry point for appliances.
- **Tooling Evolution:** Threat actors are adopting newer .NET features (Native AOT) to bypass traditional static analysis and optimize performance on specialized appliances.
- **Stealth Techniques:** The use of Single Packet Authorization (SPA) via iptables effectively hides C2 infrastructure from standard port scans.
## Recommendations
- **Patch Management:** Immediately apply Dell security updates addressing CVE-2026-22769.
- **Audit:** Inspect `/home/kos/tomcat9/tomcat-users.xml` for unauthorized or default accounts.
- **Monitor:** Implement alerting for unauthorized modifications to boot-time shell scripts and unexpected network interface creation on ESXi hosts.
- **Logging:** Ensure centralized logging for Apache Tomcat and underlying appliance audit logs.