A maximum-gravity vulnerability at Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a China-related cyber-espionage group, identified by Google Mandiant and Google Threat Intelligence Group as UNC6201. According to the public report, the failure - registered as CVE-2026-22769 - is due to credentials encoded in versions prior to 6.0.3.1 HF1, and allows an unauthenticated attacker to obtain unauthorized access to the underlying system and persistently with root privileges if he knows these credentials.
The problem does not affect all RecoverPoint products; Dell clarifies that RecoverPoint Classic is not on the list of affected. However, the RecoverPoint for Virtual Machines editions in versions such as 5.3 SP4 P1 and several 6.0 branches require migration and / or urgent update to correct the failure. Dell has issued specific recommendations on which versions to update and how to mitigate risk in its official notice, which should be consulted with priority: Dell's newsletter.
The operating mechanism described by Mandiant / GTIG is direct and dangerous: the encoded credential facilitates authentication against the Apache Tomcat Manager included in the application. With it, the malicious actor can upload a shell site called SLAYSTYLE by endpoint "/ manager / text / deploy" and run commands like root. This was the door to deploy a family of back doors known as BRICKSTORM and a more recent and stealth variant called GRIMBOLT. The technical analysis of Mandiant's team can be found in Google's report: UNC6201: exploitation of the zero-day at Dell RecoverPoint.
GRIMBOLT deserves special mention for its design. According to the researchers, this is a backdoor compiled in C # by native advanced compilation (AOT), which makes it difficult to reverse engineering and detection. In addition, its authors have worked to have the binaries mix with the system's native files, reducing forensic tracks. The transition from BRICKSTORM to GRIMBOLT in some environments detected in September 2025 suggests a deliberate intention to remain undiscovered longer.
The behavior pattern of the UNC6201 group shows skilled tactics to hide the lateral movement. One of these is the creation of temporary virtual network interfaces - called "Ghost NICs" - that allow you to pivote from virtual machines engaged to internal networks or SaaS services and then be erased to make research difficult. In addition, in compromised VMware vCenter machines, iptable rules created by the web shell have been found to monitor TLS (port 443) traffics in search of a specific hexadecimal chain and, when detected, to add the IP origin to a list of approved and redirect traffic to port 10443 for short periods. For those who want to become familiar with the type of rules used, a basic technical resource on iptables is useful: iptable tutorial.
The UNC6201 campaign does not work in the vacuum: it shares tactics and malware families with other groups linked to China, such as UNC5221, and the same BRICKSTORM tool has also been associated with another actor identified by CrowdStrike as Warp Panda in attacks against U.S. entities. Despite these tactical coincidences, analysts consider that clusters remain different threats, each with its operational and objective modes. This overlap underlines that state and pro-state adversaries specialize in attacking virtualization infrastructures and edge devices that often lack traditional endpoints protection.
This last point is critical: many of the attacked applications and gateways do not run regular EDR agents, which makes it easier for the intruders to remain on the networks for long periods without being detected. The consequence is a greater "dwell time" - time that the attacker remains in the environment - and more opportunities to move data, plant backdoors or prepare later actions that can even reach industrial control systems (OT). In a related context, the firm Drago has documented campaigns that compromise cellular gateways to pivote into engineering stations in sectors such as energy and oil and gas, demonstrating the gravity of the threat on critical infrastructure: report by Drago.
What can and should the organizations concerned or at risk do? First of all, immediately update to the remedy versions identified by Dell: for many branches that means moving to 6.0.3.1 HF1 or applying the migration steps from 5.3 SP4 P1 before installing the hotfix. Dell also emphasizes that RecoverPoint for Virtual Machines must be deployed within internal and reliable networks, protected by appropriate segmentation and firewalls, and not directly exposed to the Internet. The official Dell guide contains specific instructions on mitigation versions and steps: Dell's notice consultation.
It is not enough to park: systems should be audited for commitment indicators. Review the existence of web shells in Tomcat, search for lists of processes and files that match BRICKSTORM or GRIMBOLT, check unusual rules in iptables that redirect TLS ports around 10443, and search for ephemeral network interfaces are priority tasks. It is also recommended to strengthen integrity monitoring, further segment of the networks hosting applications and review of the administrative accesses exposed. To understand what the iptable rules that have been observed in actual incidents do, the technical link cited above may be helpful: iptable guide.
Response teams and security officers should coordinate with suppliers to validate the remediation, collect forensic logs before applying disruptive changes and, if there is a suspicion of commitment, assume that there is a root-level persistence until proven otherwise. Since the operation takes advantage of embossed credentials in the software, the mere rotation of external passwords is not enough: it is essential to apply the patches and follow the manufacturer's recommendations.
Finally, this episode is a reminder that high-level attackers seek systems with little telemetry and little traditional protection. Industry should continue to improve visibility in infrastructure applications, require safe development best practices to avoid hard-coded credentials and adapt network controls that reduce the exposure of critical elements. For more context and technical details on research and attribution, the Google Mandiant report is a must read: Mandiant / GTIG report and for the notification of the supplier see the Dell newsletter: Dell's notice.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...