Mandiant and Google Threat Intelligence Group (GTIG) have uncovered active exploitation of a critical vulnerability in Dell Technologies RecoverPoint for Virtual Machines, tracked as CVE-2026-22769.
The flaw carries a CVSSv3.1 score of 10.0 and has been abused since at least mid-2024, according to a joint technical analysis published by the researchers.
The activity is attributed to UNC6201, a suspected People’s Republic of China-nexus threat cluster. Investigators say the group used the vulnerability to perform code execution on affected appliances, move laterally, and maintain long-term persistence.
In multiple incident response engagements, attackers deployed the SLAYSTYLE web shell via the Apache Tomcat Manager interface. Mandiant found hard-coded default credentials in Tomcat configuration files, which allowed adversaries to upload malware-ridden WAR archives and execute commands as root on the appliance.
GRIMBOLT Signals Tradecraft Shift
During September 2025 investigations, Mandiant said they observed attackers replacing older BRICKSTORM malware with a newly identified backdoor called GRIMBOLT. The malware is written in C# and compiled using native ahead-of-time (AOT) compilation, a .NET capability added in 2022.
Unlike traditional just-in-time-compiled .NET binaries, native AOT produces machine code “at build time”. According to GTIG, these techniques make performance smoother on resource-constrained appliances and complicates static analysis due to the removal of common intermediate language metadata.
Persistence was achieved by modifying a legitimate boot script, convert_hosts.sh, to launch the backdoor at startup.
Beyond Dell appliances, researchers documented new techniques targeting VMware environments. These included the creation of temporary “Ghost NICs” on ESXi-hosted virtual machines to pivot internally, and the use of iptables rules for Single Packet Authorization, a method that conditionally opens ports after a specially crafted network packet is received.
Dell has released patches and mitigation guidance in its official security advisory. Security teams are urged to review Tomcat logs, audit for unauthorized WAR deployments, and keep in mind indicators of compromise (IoC) shared by GTIG.
