APT Exploits Dell RecoverPoint Zero-Day Since 2024

Key Findings

A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024.
The vulnerability, tracked as CVE-2026-22769, has a CVSS score of 10.0 and involves hardcoded credentials that can be abused to gain unauthorized access and root-level persistence.
The group has used the flaw to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel C# backdoor named GRIMBOLT.
Mandiant and Google's Threat Intelligence Group (GTIG) have reported on this activity, providing details on the group's tactics, techniques, and procedures (TTPs).

Dell RecoverPoint for Virtual Machines is a data protection and disaster recovery solution for VMware environments.
The vulnerable versions of the software include 5.3 SP4 and earlier, as well as 6.0, 6.0 SP1, 6.0 SP2, and 6.0 SP3 prior to 6.0.3.1 HF1.
Dell has released patches and mitigation guidance to address the vulnerability.

The attackers exploited the hardcoded credential vulnerability to gain access to the Dell RecoverPoint Tomcat Manager.
They then uploaded a malicious WAR file containing the SLAYSTYLE web shell, allowing them to execute commands as root on the appliance.
The group used the SLAYSTYLE web shell to deploy the BRICKSTORM backdoor and its newer variant, GRIMBOLT, a C# backdoor compiled using native ahead-of-time (AOT) compilation.
GRIMBOLT provides remote shell access and reuses the same command-and-control channels as BRICKSTORM.

The attackers leveraged "Ghost NICs" (temporary virtual network interfaces) to pivot from compromised virtual machines into internal or SaaS environments.
They also used iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances.
To ensure persistence, the group modified a legitimate startup script to run the backdoor automatically at boot.

The exploitation of this zero-day vulnerability has allowed the suspected China-linked group to gain access to and compromise VMware backup systems.
Dell strongly recommends that customers upgrade to the patched versions or apply the necessary mitigations as soon as possible to address this critical vulnerability.
Organizations should also review their security posture, implement robust endpoint detection and response (EDR) solutions, and closely monitor their VMware environments for any signs of compromise.

https://securityaffairs.com/188176/apt/china-linked-apt-weaponized-dell-recoverpoint-zero-day-since-2024.html
https://thehackernews.com/2026/02/dell-recoverpoint-for-vms-zero-day-cve.html
https://x.com/securityaffairs/status/2024095660094431393
https://www.securityweek.com/dell-recoverpoint-zero-day-exploited-by-chinese-cyberespionage-group/
https://www.instagram.com/p/DU6bg6oEjVS/