A suspected China-linked cyberespionage group has been covertly exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines (CVE-2026-22769) since at least mid-2024, according to new research from Google’s Threat Intelligence Group (GTIG) and Mandiant. The attackers deployed sophisticated backdoors and maintained persistent access inside targeted networks for over 18 months before discovery.
🎯 The Attack Campaign
The threat actor, tracked as UNC6201, shows notable overlaps with UNC5221—a Chinese APT often associated with Silk Typhoon operations, though GTIG does not consider them the same cluster. The attackers deployed multiple malware families:
- BRICKSTORM – A stealthy backdoor specifically designed for appliances lacking traditional EDR coverage
- GRIMBOLT – A novel backdoor compiled directly to machine code for improved stealth and evasion
- SLAYSTYLE – A webshell deployed via malicious WAR files
🔓 Default Credentials: The Gateway to Compromise
Mandiant incident responders discovered the vulnerability while investigating compromised Dell RecoverPoint systems communicating with attacker-controlled command and control servers. The root cause was shocking: hard-coded default credentials for the admin user in the Apache Tomcat Manager configuration file.
Using these credentials, attackers could authenticate to the Tomcat Manager, upload malicious WAR files via the /manager/text/deploy endpoint, and execute commands as root on the appliance.
🕵️ Novel Evasion Techniques
Beyond exploiting the Dell vulnerability, the threat actor employed sophisticated tactics to pivot deeper into victim infrastructure:
- “Ghost NICs” – Creation of stealthy Network Interface Cards for covert network pivoting
- Single Packet Authorization (SPA) – Using iptables to hide C2 communications
- Life cycle iteration – Replacing BRICKSTORM with GRIMBOLT, potentially in response to detection efforts
The GRIMBOLT backdoor’s design—compiled directly to machine code before execution—makes it particularly difficult to detect via static analysis while enabling efficient operation on resource-constrained devices.
⚠️ Who Should Be Concerned
Organizations running Dell RecoverPoint for Virtual Machines should immediately assess their exposure. The threat actor’s tactics suggest a focus on:
- Edge appliances and backup infrastructure
- VMware virtual environments
- Organizations where traditional EDR tools cannot be deployed
🛡️ Remediation Steps
Dell has released security guidance for CVE-2026-22769. Organizations should:
- Apply Dell’s recommended patches immediately
- Change all default credentials on RecoverPoint systems
- Review Tomcat Manager access logs for suspicious WAR deployments
- Hunt for BRICKSTORM, GRIMBOLT, and SLAYSTYLE indicators of compromise
- Monitor for anomalous network communications from backup infrastructure
CISA has also revised its report on the BRICKSTORM backdoor with updated indicators of compromise. Mandiant and GTIG have published YARA rules for detecting GRIMBOLT and SLAYSTYLE.
đź”— Why This Matters
This campaign demonstrates a concerning pattern: state-sponsored actors targeting backup and disaster recovery infrastructure where security tooling is often limited. The 18-month exploitation window before discovery highlights the critical need for:
- Comprehensive asset inventory including backup systems
- Default credential audits across all infrastructure
- Extended monitoring of appliances outside traditional EDR coverage
When backup systems are compromised, attackers gain not only persistent access but also visibility into an organization’s disaster recovery capabilities—intelligence that could be devastating in a future destructive attack.
Source: Help Net Security | Google Cloud Blog
