InfoSecBulletin Cybersecurity for mankind
A China-linked cyberespionage group has exploited a zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines since at least mid-2024, according to Google’s Threat Intelligence Group and Mandiant.
GTIG and Mandiant attributed the exploitation of CVE-2026-22769 to a group called UNC6201, who used the vulnerability for lateral movement, persistence, and deploying malware.
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the Wild
AI-designed First ‘universal vaccine’ tested in humans
China Unveils First Prefabricated Data Center Base, Reducing Construction Time by 70%
Hacker now exploits recently patched SolarWinds Serv-U flaw
Cisco SD-WAN Flaw Exploited and Trend Micro Flaws Allows to Security Bypass
Ransomware Crisis Deepens: 4,089 Victims Hit Across 121 Countries in 2026
Dell advises that CVE-2026-22769 is a hardcoded credential vulnerability in RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1. Users should update to the patched version immediately.
“[CVE-2026-22769] is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence,” Dell said.
This is the first public mention of the threat group UNC6201. Google also noted connections to UNC5221, a Chinese APT known for lingering in compromised networks for extended periods to gather valuable data.
Google reported in September 2025 that the UNC5221 group used stolen information from the BrickStorm malware to find zero-day vulnerabilities in enterprise tech. It’s uncertain if CVE-2026-22769 is one of those vulnerabilities.
Google’s latest report states that the group UNC6201 initially used BrickStorm malware but replaced it with GrimBolt in September 2025.
GrimBolt is a backdoor developed in C# that is compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it more difficult to analyze. The malware provides remote shell capabilities.
“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.
Google researchers found that UNC6201 created ‘ghost NICs’ on VMs. After their attacks, the threat actors deleted these NICs, which made the attacks harder to detect and investigate.
Mandiant CTO Charles Carmakal noted in a LinkedIn post that “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”
GTIG and Mandiant have provided signs of compromise to help defenders spot possible attacks.
| Family | File Name | SHA256 |
| GRIMBOLT | support | 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c |
| GRIMBOLT | out_elf_2 | dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591 |
| SLAYSTYLE | default_jsp.java | 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a |
| BRICKSTORM | N/A | aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 |
| BRICKSTORM | splisten | 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df |
| BRICKSTORM | N/A | 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759 |
| BRICKSTORM | N/A | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 |
| BRICKSTORM | N/A | 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830 |
