Since mid-2024, Chinese state-sponsored hackers have been focusing on a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines This article explores vulnerability dell. . Security companies Google Threat Intelligence Group (GTIG) and Mandiant attribute the attacks to UNC6201, a threat cluster closely associated with Silk Typhoon, a group that has filed more than ten patents while engaging in cyber espionage.

This vulnerability, known as CVE-2026-22769, gives attackers complete root access without any authentication and receives a perfect score of 10.0 on the CVSS scale. By using it to install sophisticated malware, attackers can infiltrate victim networks and continue their long-term eavesdropping activities. As hackers shift their attention from on-premises systems to cloud-based setups, Dell users—especially those in critical sectors—face serious risks.

The Apache Tomcat Manager configuration contains hardcoded default credentials, which are the source of the vulnerability. Attackers upload a malicious WAR file, a Java archive containing malicious code, and execute commands with root privileges after logging in as administrators. They now have complete control over the device.

UNC6201 uses tools to dig deeper once inside. To move stealthily between internal networks and cloud environments, they set up "Ghost NICs," which are fictitious network interfaces on VMware servers. Logs in files like /home/kos/auditlog/fapi_cl_audit_log.log show suspicious requests to the /manager/text/deploy endpoint, which is a blatant indication of compromise. GRIMBOLT Evolution from BRICKSTORM BRICKSTORM, a simple backdoor for initial access, was used to launch the campaign.

UNC6201 was upgraded to GRIMBOLT, a sleek C#-based implant that was compiled using native ahead-of-time (AOT) techniques, by September 2025.

This converts the code directly into machine language, increasing speed on low-power devices and avoiding defenders' easy analysis. By altering a legitimate script, /home/kos/kbox/src/installation/distribution/convert_hosts.sh, GRIMBOLT conceals itself and makes it run on each reboot. Persistence is reinforced by additional tools such as SLAYSTYLE web shells that appear in /var/lib/tomcat9/.

Security teams pursuing these threats should look for important indicators. CVE ID CVSS Score Description Affected Component CVE-2026-22769 10.0 (Critical) Hardcoded credential vulnerability permitting unauthenticated remote root access Dell RecoverPoint for Virtual Machines (Tomcat Manager).

Malware Family: GRIMBOLT (C# AOT-compiled backdoor), BRICKSTORM (legacy backdoor), and SLAYSTYLE (web shell) tenacity Web Shell Path /var/lib/tomcat9/ (Malicious WAR file upload location) File /home/kos/kbox/src/installation/distribution/convert_hosts.sh Log Artifact Requests to /manager/text/deploy in /home/kos/auditlog/fapi_cl_audit_log.log UNC6201 Attribution (Suspected PRC-nexus, overlaps with Silk Typhoon) Upgrade to version 6.0.3.1 HF1 or execute their remediation script right away. Dell has urgently fixed this. Look for /manager hits in Tomcat logs, isolate impacted appliances, and keep an eye out for strange NICs in VMware.

Quick action breaks espionage chains with UNC6201's evolving tricks. As state actors hone these plays, remain alert. Make ZeroOwl your Google Preferred Source.