A most severity security vulnerability in Dell RecoverPoint for Digital Machines has been exploited as a zero-day by a suspected China-nexus risk cluster dubbed UNC6201 since mid-2024, in line with a brand new report from Google Mandiant and Google Menace Intelligence Group (GTIG).
The exercise includes the exploitation of CVE-2026-22769 (CVSS rating: 10.0), a case of hard-coded credentials affecting variations prior to six.0.3.1 HF1. Different merchandise, together with RecoverPoint Traditional, are usually not weak to the flaw.
“That is thought-about essential as an unauthenticated distant attacker with information of the hardcoded credential may doubtlessly exploit this vulnerability, resulting in unauthorized entry to the underlying working system and root-level persistence,” Dell stated in a bulletin launched Tuesday.
The difficulty impacts the next merchandise –
- RecoverPoint for Digital Machines Model 5.3 SP4 P1 – Migrate from RecoverPoint for Digital Machines 5.3 SP4 P1 to six.0 SP3, after which improve to six.0.3.1 HF1
- RecoverPoint for Digital Machines Variations 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 – Improve to six.0.3.1 HF1
- RecoverPoint for Digital Machines Variations 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier – Improve to model 5.3 SP4 P1 or a 6.x model, after which apply the mandatory remediation
“Dell recommends that RecoverPoint for Digital Machines be deployed inside a trusted, access-controlled inner community protected by applicable firewalls and community segmentation,” it famous. “RecoverPoint for Digital Machines isn’t meant to be used on untrusted or public networks.”
Per Google, the hard-coded credential pertains to an “admin” consumer for the Apache Tomcat Supervisor occasion that may very well be used authenticate to the Dell RecoverPoint Tomcat Supervisor, add an internet shell named SLAYSTYLE through the “/supervisor/textual content/deploy” endpoint, and execute instructions as root on the equipment to drop the BRICKSTORM backdoor and its newer model dubbed GRIMBOLT.
“It is a C# backdoor compiled utilizing native ahead-of-time (AOT) compilation, making it tougher to reverse engineer,” Mandiant’s Charles Carmakal added.
Google informed The Hacker Information that the exercise has focused organizations throughout North America, with GRIMBOLT incorporating options to higher evade detection and reduce forensic traces on contaminated hosts. “GRIMBOLT is even higher at mixing in with the system’s personal native recordsdata,” it added.
UNC6201 can be assessed to share overlaps with UNC5221, one other China-nexus espionage cluster identified for its exploitation of virtualization applied sciences and Ivanti zero-day vulnerabilities to distribute net shells and malware households like BEEFLUSH, BRICKSTORM, and ZIPLINE.
Regardless of the tactical similarities, the 2 clusters are assessed to be distinct at this stage. It is value noting that using BRICKSTORM has additionally been linked by CrowdStrike to a 3rd China-aligned adversary tracked as Warp Panda in assaults aimed toward U.S. entities.
A noteworthy side of the most recent set of assaults revolves round UNC6201’s reliance on non permanent digital community interfaces – known as “Ghost NICs” – to pivot from compromised digital machines into inner or SaaS environments, after which delete these NICs to cowl up the tracks in an effort to impede investigation efforts.
“Per the sooner BRICKSTORM marketing campaign, UNC6201 continues to focus on home equipment that sometimes lack conventional endpoint detection and response (EDR) brokers to stay undetected for lengthy durations,” Google stated.
Precisely how preliminary entry is obtained stays unclear, however like UNC5221, it is also identified to focus on edge home equipment to interrupt into goal networks. An evaluation of the compromised VMware vCenter home equipment has additionally uncovered iptable instructions executed via the net shell to carry out the next set of actions –
- Monitor incoming site visitors on port 443 for a selected HEX string
- Add the supply IP deal with of that site visitors to an inventory and if the IP deal with is on the checklist and connects to port 10443, the connection is ACCEPTED
- Silently redirect subsequent site visitors to port 443 to port 10443 for the following 300 seconds (5 minutes) if the IP is on the accepted checklist
Moreover, the risk actor has been discovered changing previous BRICKSTORM binaries with GRIMBOLT in September 2025. Whereas GRIMBOLT additionally gives a distant shell functionality and makes use of the identical command-and-control (C2) as BRICKSTORM, it isn’t identified what prompted the shift to the harder-to-detect malware, and whether or not it was a deliberate transition or a response to public disclosures about BRICKSTORM.
“Nation-state risk actors proceed focusing on methods that do not generally help EDR options, which makes it very onerous for sufferer organizations to know they’re compromised and considerably prolongs intrusion dwell occasions,” Carmakal stated.
The disclosure comes as Dragos warned of assaults mounted by Chinese language teams like Volt Storm (aka Voltzite) to compromise Sierra Wi-fi Airlink gateways positioned in electrical and oil and gasoline sectors, adopted by pivoting to engineering workstations to dump config and alarm knowledge.
The exercise, in line with the cybersecurity firm, came about in July 2025. The hacking crew is alleged to accumulate preliminary entry from Sylvanite, which quickly weaponizes edge system vulnerabilities earlier than patches are utilized and fingers off entry for deeper operational expertise (OT) intrusions.
“Voltzite moved past knowledge exfiltration to direct manipulation of engineering workstations investigating what would set off processes to cease,” Dragos stated. ” This represents the elimination of the final sensible barrier between having entry and inflicting bodily penalties. Mobile gateways create unauthorized pathways into OT networks bypassing conventional security controls.”
