A suspected China-linked cyberespionage group has been covertly exploiting a critical zero-day flaw (CVE-2026-22769) in Dell’s RecoverPoint for Virtual Machines software since at least mid-2024, according to new research from Google’s threat intelligence team and Mandiant.
The attackers deployed stealthy backdoors (BRICKSTORM and GRIMBOLT), a webshell (SLAYSTYLE) and maintained long-term access inside targeted networks.
“Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual infrastructure, including the creation of ‘Ghost NICs’ [i.e., Network Interface Cards] for stealthy network pivoting and the use of iptables for Single Packet Authorization (SPA),” the researchers shared on Tuesday.
They tied the attacks to UNC6201, a suspected PRC-nexus threat cluster that shows “notable overlaps” with UNC5221, a Chinese threat actor that’s often conflated with Silk Typhoon (“although GTIG does not currently consider the two clusters to be the same.)
Default credentials exposed Dell backup systems to compromise
The analysts were unable to pinpoint how the attackers achieved initial access to affected systems, but UNC6201 is known to target edge appliances. (UNC5221 as well.)
Mandiant incident responders discovered CVE-2026-22769 while investigating hacked Dell RecoverPoint systems inside a victim’s network, after they noticed the systems were communicating with hacker-controlled command and control servers associated with BRICKSTORM and GRIMBOLT backdoors.
“During analysis of the appliances, analysts identified multiple web requests to an appliance prior to compromise using the username admin. These requests were directed to the installed Apache Tomcat Manager, used to deploy various components of the Dell RecoverPoint software, and resulted in the deployment of a malicious WAR file containing a SLAYSTYLE web shell,” they explained.
“After analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the /manager/text/deploy endpoint, and then execute commands as root on the appliance.”
The BRICKSTORM backdoor is a known threat, wielded by UNC5221 and related threat clusters, and deployed on appliances that do not support traditional endpoint detection and response (EDR) tools. This allows the attackers to keep their presence in target organizations’ networks quiet.
According to Mandiant and GTIG, the GRIMBOLT backdoor is built in a way that turns it directly into machine code before it’s run, which makes it easier to run on small devices and harder to detect via static analysis. The attackers edited a legitimate shell script to launch the backdoor each time the script is run.
“It’s unclear if the threat actor’s replacement of BRICKSTORM with GRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” the analysts added.
Remediation and investigation
Dell has provided instructions on how to remediate CVE-2026-22769, and Mandiant and GTIG have provided indicators of compromise, outlined artifacts that point to Dell RecoverPoint compromise, and shared YARA rules for detecting the presence of the GRIMBOLT backdoor and the SLAYSTYLE webshell.
Earlier this month, CISA revised its report on the BRICKSTORM backdoor with the latest indicators of compromise related to the threat.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
