Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

216.73.216.36

Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

· Published 18/02/2026 12:11 · Modified 18/02/2026 16:40

Essential information

Published: 18/02/2026 12:11
Modified: 18/02/2026 16:40
Tags: 2026-02-18 CVE-2026-22769 brickstorm c2 dell recoverpoint grimbolt lateral movement persistence slaystyle vmware zero-day
Related entities: 1 vulnerabilities (cve), 9 observables, 1 intrusion sets (apt), 16 techniques (mitre), 3 malware

Description

UNC6201, a suspected PRC-nexus threat group, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. The group uses this flaw for lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new backdoor called GRIMBOLT. GRIMBOLT, written in C# and compiled using native AOT, represents a shift in tradecraft designed to complicate analysis and improve performance. The actors also employed novel tactics to pivot into VMware infrastructure, including 'Ghost NICs' creation and iptables for Single Packet Authorization. Dell has released patches for the vulnerability, and the post provides detailed technical analysis, detection opportunities, and hardening guidance.