For the past 18 months, a Chinese cyberespionage group has been exploiting a prevously unknown vulnerability in Dell’s RecoverPoint for Virtual Machines, a VM disaster recovery solution. The flaw, patched by Dell this week, allows unauthenticated attackers to gain command execution on the underlying OS as root.
The vulnerability, tracked as CVE-2026-22769, stems from hardcoded admin credentials for the Apache Tomcat Manager, which can be leveraged to deploy malicious WAR (Web Application Archive) files. Apache Tomcat is a web server for Java-based web applications.
Researchers from Google’s Mandiant team discovered the critical vulnerability while investigating multiple compromised Dell RecoverPoint for Virtual Machines instances in a customer environment sending out command-and-control (C2) traffic associated with two backdoos known as BRICKSTORM and GRIMBOLT. These backdoors are used by a China-linked APT group that Mandiant tracks as UNC6201, which is known to target VMware-related enterprise infrastructure.
Dell RecoverPoint for Virtual Machines is a data replication and protection appliance for VMware environments, which makes it an attractive target for this group. The new vulnerability affects versions 5.3 SP4 P1, 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1. Customers are strongly encouraged to upgrade to the patched 6.0.3.1 HF1 version, but if that’s not immediately possible Dell also released a remediation script.
Attackers upgrade from BRICKSTORM to GRIMBOLT
UNC6201’s activities overlap significantly with another group that Mandiant and Google’s Threat Intelligence Group (GTIG) track as UNC5221, which is known for targeting network-edge appliances using zero-day exploits. Other security companies attribute this activity to the Chinese state-sponsored hacker group Silk Typhoon or APT27, but Google believes this to be a different threat actor.
UNC5221 has compromised the networks of US legal services firms, SaaS providers, business process outsourcers, and technology companies over the past few years and deployed Linux backdoor BRICKSTORM and a web shell called SLAYSTYLE that has been installed on compromised vCenter deployments.
Both BRICKSTORM and SLAYSTYLE have also been observed in the new Dell RecoverPoint compromises attributed to UNC6201. However, the threat actor also deployed a new backdoor called GRIMBOLT.
“GRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX,” Mandiant’s researchers said. “It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.”
There is evidence that UNC6201 has been exploiting CVE-2026-22769 since mid-2024 to deploy the SLAYSTYLE web shell. However, the replacement of BRICKSTORM with GRIMBOLT did not happen until September 2025. It’s not clear if this was the result of planned iteration or as a reaction to BRICKSTORM being exposed by Mandiant and other security companies at around that time.
Pivot techniques
In addition to the payloads themselves, the investigation also revealed new techniques. For example, the legitimate shell script convert_hosts.sh that exists on these appliances has been modified to include the path of the backdoors to achieve persistence.
The SLAYSTYLE web shell, which is designed to receive commands over HTTP and execute them on the system, was used to set up proxy rules via the Linux iptables utility. Namely, incoming traffic on port 443 (HTTPS) that contained a particular HEX string was silently redirected to port 10443 for the next 5 minutes.
Another novel technique was the creation of temporary network ports on existing virtual machines on VMware ESXi servers to access other services inside the environments.
Charles Carmakal, CTO at Mandiant, described the technique on LinkedIn as deploying “ghost NICs on virtual machines to evade defenders” because it left investigators chasing network activity from IP addresses that no longer existed and were never documented.
Network-edge appliances have become a common entry point into enterprise networks for sophisticated attackers. These appliances are not typically covered by logging solutions, lack endpoint malware detection, yet contain troves of credentials and provide great pivot points to internal services.
Dell recommends RecoverPoint for VMs be deployed inside a trusted, access-controlled network behind appropriate firewalls and segmentation, not on public-facing infrastructure. Meanwhile, the Mandiant blog post includes indicators of compromise and YARA detection rules for the new GRIMBOLT and SLAYSTYLE payloads.