In a recent threat intelligence briefing released by Mandiant and Google Threat Intelligence Group (GTIG) on February 19, 2026, a high‑risk zero‑day vulnerability in Dell RecoverPoint for Virtual Machines (RPVM) – CVE‑2026‑22769 – was identified as a major foothold for the PRC‑nexus threat cluster UNC6201. The flaw, assigned a CVSSv3.1 score of 10.0, enables attackers to upload malicious code via the Tomcat Manager interface, bypassing authentication and gaining root access to the appliance. The exploitation chain has been active since mid‑2024 and is currently being used to move laterally, persist, and deploy a suite of advanced malware including BRICKSTORM, GRIMBOLT, and SLAYSTYLE.

UNC6201’s tactics illustrate a sophisticated tradecraft shift. After compromising the appliance, the actor modifies the legitimate convert_hosts.sh script to execute backdoor binaries on boot, ensuring persistence across reboots. The malicious binaries are replaced over time – BRICKSTORM was first observed, then replaced by the newer GRIMBOLT backdoor in September 2025. GRIMBOLT is a C# program compiled with native ahead‑of‑time (AOT) compilation and packed with UPX, making static analysis difficult and execution faster on constrained resources.

Beyond the RPVM exploitation, UNC6201 has demonstrated pivoting techniques within VMware environments. The actor creates temporary network interfaces, dubbed “Ghost NICs,” on ESXi hosts and uses iptables for Single Packet Authorization (SPA). This allows selective traffic redirection to a controlled port (10443) for five minutes, enabling covert data exfiltration or command and control channels.

Key indicators of compromise (IOCs) are available through GTIG’s public collection. File hashes for GRIMBOLT, SLAYSTYLE, and BRICKSTORM binaries are listed, along with a notable C2 endpoint wss://149.248.11.71/rest/apisession and the associated IP address. YARA rules have been published to detect both the backdoor and the webshell payload.

For defenders, the following hardening and detection guidance is recommended:

• Patch promptly: Apply Dell’s official security advisory for CVE‑2026‑22769 immediately. Verify that all RPVM appliances are running the latest firmware.
• Restrict Tomcat Manager access: Remove or harden default credentials in /home/kos/tomcat9/tomcat-users.xml. Use a dedicated, strong password and consider IP whitelisting.
• Monitor deployment logs: Check /home/kos/auditlog/fapi_cl_audit_log.log for any /manager/text/deploy requests. Flag any PUT or POST operations targeting WAR files.
• Inspect WAR files: Validate content in /var/lib/tomcat9 and compiled artifacts in /var/cache/tomcat9/Catalina. Compare hashes against known clean baselines.
• Audit script modifications: Verify convert_hosts.sh for unauthorized changes. Maintain a signed checksum repository for critical scripts.
• Detect iptables anomalies: Watch for dynamic rule creation matching the SPA pattern. Correlate with sudden traffic spikes or connection attempts to port 10443.
• Deploy YARA detection: Use the provided rules to scan endpoints and network traffic for GRIMBOLT and SLAYSTYLE signatures.
• Segment network zones: Isolate RPVM appliances from the rest of the network. Limit lateral movement possibilities.

In addition to technical controls, organizations should maintain robust incident response plans that cover virtual infrastructure compromise. Regularly test rollback procedures for RPVM backups and validate that restored systems are free of backdoors. Continuous monitoring of outbound DNS queries is essential, as UNC6201 frequently uses DNS‑over‑HTTPS to C2 endpoints.

By combining rapid patching, strict access controls, vigilant log monitoring, and advanced threat detection, security teams can mitigate the risk posed by the CVE‑2026‑22769 zero‑day and prevent the deployment of the evolving backdoor ecosystem employed by UNC6201.