Mandiant and Google Threat Intelligence Group have uncovered the zero-day exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769. This flaw, carrying a CVSS score of 10.0, involves hard-coded default credentials in the Apache Tomcat Manager that allow attackers to deploy malicious WAR files and gain root-level access. The activity is attributed to UNC6201, a suspected PRC-nexus threat cluster that has been active since mid-2024, focusing on lateral movement and persistent access within virtualized environments.
The threat actor's toolkit includes the SLAYSTYLE web shell and the novel GRIMBOLT backdoor, the latter of which utilizes C# Native Ahead-of-Time (AOT) compilation to evade static analysis and optimize performance on resource-constrained appliances. Beyond the Dell exploitation, UNC6201 has introduced advanced tactics for VMware infrastructure, such as the creation of "Ghost NICs" for stealthy network pivoting and the use of iptables for Single Packet Authorization (SPA) to obfuscate command-and-control traffic.
Top comments (0)