A high-risk zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) has been exploited since mid-2024 by a suspected PRC-nexus cluster tracked as UNC6201 to gain footholds in the virtualization layer and deploy backdoors. Researchers report UNC6201 upgraded its toolkit in September 2025 to include an AOT-compiled C# backdoor named GRIMBOLT and used techniques like Ghost NICs and an iptables-based Single Packet Authorization for stealthy persistence and lateral movement. #GRIMBOLT #UNC6201
Keypoints
- CVE-2026-22769 is a CVSS 10.0 zero-day in Dell RecoverPoint for Virtual Machines exploited for initial access.
- UNC6201 has been exploiting the flaw since at least mid-2024 to deploy SLAYSTYLE, BRICKSTORM, and other tools.
- In September 2025 the group replaced BRICKSTORM with a more advanced AOT-compiled C# backdoor called GRIMBOLT to hinder static analysis.
- Attackers created temporary βGhost NICsβ on compromised ESXi servers to pivot to internal networks and SaaS infrastructure.
- Persistence relied on an iptables proxy and a Single Packet Authorization βknockβ that opens a port for 300 seconds, making the backdoor stealthy.
Read More: https://securityonline.info/ghost-nics-secret-knocks-dell-zero-day-cvss-10-exploited-by-unc6201/