InfoSecBulletin Cybersecurity for mankind
A China-linked cyberespionage group has exploited a zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines since at least mid-2024, according to Google’s Threat Intelligence Group and Mandiant.
GTIG and Mandiant attributed the exploitation of CVE-2026-22769 to a group called UNC6201, who used the vulnerability for lateral movement, persistence, and deploying malware.
WhatsApp to allow usernames instead of phone numbers
Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem
Data breach affects 14.2 million email logins across six ISPs
Asian Two AI startups launch Mythos-like Model
Polymarket Hack Reportedly Results in $3 Million Theft
Anthropic Confirms US Infrastructure Redeployment of Claude Mythos 5
Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins
Daily Cyber security update for 26. 06. 2026
WhatsApp to Alert Users Before Chatting With New Numbers
OpenAI unveils its first custom chip, Named Jalapeño
Dell advises that CVE-2026-22769 is a hardcoded credential vulnerability in RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1. Users should update to the patched version immediately.
“[CVE-2026-22769] is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence,” Dell said.
This is the first public mention of the threat group UNC6201. Google also noted connections to UNC5221, a Chinese APT known for lingering in compromised networks for extended periods to gather valuable data.
Google reported in September 2025 that the UNC5221 group used stolen information from the BrickStorm malware to find zero-day vulnerabilities in enterprise tech. It’s uncertain if CVE-2026-22769 is one of those vulnerabilities.
Google’s latest report states that the group UNC6201 initially used BrickStorm malware but replaced it with GrimBolt in September 2025.
GrimBolt is a backdoor developed in C# that is compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it more difficult to analyze. The malware provides remote shell capabilities.
“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.
Google researchers found that UNC6201 created ‘ghost NICs’ on VMs. After their attacks, the threat actors deleted these NICs, which made the attacks harder to detect and investigate.
Mandiant CTO Charles Carmakal noted in a LinkedIn post that “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”
GTIG and Mandiant have provided signs of compromise to help defenders spot possible attacks.
| Family | File Name | SHA256 |
| GRIMBOLT | support | 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c |
| GRIMBOLT | out_elf_2 | dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591 |
| SLAYSTYLE | default_jsp.java | 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a |
| BRICKSTORM | N/A | aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 |
| BRICKSTORM | splisten | 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df |
| BRICKSTORM | N/A | 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759 |
| BRICKSTORM | N/A | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 |
| BRICKSTORM | N/A | 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830 |
