Full Report
Full scale of infections remains 'unknown' China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It's all part of a long-running effort to backdoor infected machines for long-term access, according to Dell and Google's Mandiant incident response team.…
Analysis Summary
# Threat Actor: UNC6201
## Attribution & Identity
* **Identification:** UNC6201 is a suspected PRC-nexus (People's Republic of China) threat cluster.
* **Aliases/Associations:** Described as "China-linked snoops" and associated with broad state-sponsored activity previously identified by CISA and CrowdStrike regarding VMware environment targeting.
## Activity Summary
UNC6201 has been active since at least **mid-2024**, exploiting a zero-day vulnerability in **Dell RecoverPoint for Virtual Machines**. The campaign involves gaining initial access through hardcoded credentials to deploy web shells and backdoors. The operation is characterized by its long-term nature, aimed at maintaining persistent access for potential disruption or sabotage. In September 2025, the actor was observed transitioning from older malware (Brickstorm) to a more sophisticated backdoor (Grimbolt).
## Tactics, Techniques & Procedures
* **Exploitation of Hardcoded Credentials:** Exploited **CVE-2026-22769**, a maximum-severity bug in Dell RecoverPoint for VMs involving hardcoded Apache Tomcat Manager credentials ("admin").
* **Persistence via Boot Scripts:** Modified legitimate shell scripts (e.g., `convert_hosts.sh`) executed at boot time via `rc.local` to ensure malware persistence.
* **Stealthy Network Pivoting:** Created **"Ghost NICs"**—hidden, temporary network interface cards on existing virtual machines within ESXi servers—to move laterally while bypassing standard network monitoring.
* **Malware Evolution:** Transitioned from Go and Rust-based binaries to C# with Native AOT compilation to evade static analysis.
* **Web Shell Deployment:** Utilized malicious WAR files to deploy web shells for OS-level access.
**MITRE ATT&CK IDs:**
* **T1190:** Exploit Public-Facing Application (CVE-2026-22769)
* **T1037.004:** Boot or Logon Initialization Scripts: rc.local
* **T1021:** Remote Services (Lateral movement through VMware infrastructure)
* **T1505.003:** Server Software Component: Web Shell
* **T1027.002:** Obfuscated Files or Information: Software Packing (UPX)
## Targeting
* **Sectors:** Critical Infrastructure, Government (indicated by U.S. government warnings regarding "critical U.S. networks").
* **Geography:** Primarily focused on the United States; broader global scale remains "unknown."
* **Victims:** Dozens of critical U.S. networks; Mandiant confirmed "less than a dozen" specific organizations affected by the Dell zero-day specifically.
## Tools & Infrastructure
* **Malware Families:**
* **Slaystyle:** A web shell deployed via malicious WAR files.
* **Brickstorm:** A backdoor originally written in Go/Rust used for persistent access.
* **Grimbolt:** A novel C# backdoor (packed with UPX) that replaced Brickstorm in late 2025; features remote shell capabilities.
* **Infrastructure:**
* **C2:** Grimbolt utilizes the same command-and-control infrastructure as the predecessor Brickstorm.
* **Targeted Hardware:** Dell RecoverPoint for Virtual Machines; VMware ESXi servers.
## Implications
UNC6201 represents a high-tier strategic threat focused on **long-term persistence** rather than immediate data theft. The use of "Ghost NICs" and evasion-heavy malware (Native AOT/UPX) suggests a highly sophisticated actor capable of hiding within virtualized infrastructure for years. The potential for "sabotage" noted by CISA implies these actors may be "pre-positioning" for future kinetic or digital disruption during a geopolitical conflict.
## Mitigations
* **Patching:** Immediately apply Dell security advisory **DSA-2026-079** to remediate CVE-2026-22769.
* **Integrity Monitoring:** Audit the `convert_hosts.sh` and `rc.local` files on Dell appliances for unauthorized modifications.
* **Hunt for Grimbolt:** Organizations previously targeted by the **Brickstorm** malware should specifically hunt for **Grimbolt** signatures (C# Native AOT + UPX) and shared C2 infrastructure.
* **Virtualization Security:** Monitor ESXi environments for the creation of unexpected or "ghost" network interfaces and unauthorized web requests to Apache Tomcat Manager components.