Mandiant and Google Threat Intelligence Group identified exploitation of a critical Dell RecoverPoint for Virtual Machines vulnerability (CVE-2026-22769) by UNC6201 beginning in mid-2024, enabling lateral movement, persistent access, and deployment of SLAYSTYLE, BRICKSTORM, and a new AOT-compiled backdoor called GRIMBOLT. Dell published remediations and the report details Tomcat Manager WAR deployment using hard-coded admin credentials, persistence via convert_hosts.sh modification, VMware pivoting using “Ghost NICs,” and iptables-based Single Packet Authorization techniques. #CVE-2026-22769 #UNC6201 #GRIMBOLT #BRICKSTORM #SLAYSTYLE #DellRecoverPoint
Keypoints
- UNC6201 exploited CVE-2026-22769 in Dell RecoverPoint for Virtual Machines since at least mid-2024 to deploy web shells and backdoors.
- Threat actors abused hard-coded admin credentials in Tomcat (tomcat-users.xml) to authenticate to Tomcat Manager and upload malicious WAR files via /manager/text/deploy.
- Actors initially deployed SLAYSTYLE web shells, maintained persistence by modifying /home/kos/kbox/src/installation/distribution/convert_hosts.sh, and later replaced BRICKSTORM with a new Native AOT C# backdoor named GRIMBOLT.
- GRIMBOLT is a Native AOT-compiled, UPX-packed C# backdoor providing remote shell functionality and using the same C2 as BRICKSTORM, complicating static analysis and improving performance on appliances.
- Mandiant observed novel pivoting into VMware infrastructure including creation of temporary “Ghost NICs” on ESXi VMs and iptables-based Single Packet Authorization to control proxy access.
- The report provides forensic artifacts, YARA rules, IOCs (file hashes, filenames, C2 endpoints), and actionable detection and remediation guidance; Dell has released advisories and fixes.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to deploy a malicious WAR via Tomcat Manager using the deployment endpoint (‘upload a malicious WAR file using the /manager/text/deploy endpoint’).
- [T1078] Valid Accounts – Threat actor authenticated using hard-coded/default admin credentials found in /home/kos/tomcat9/tomcat-users.xml (‘hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml’).
- [T1547] Boot or Logon Autostart Execution – Persistence was established by modifying a startup shell script executed at boot (rc.local) to invoke the backdoor (‘modifying a legitimate shell script named convert_hosts.sh … executed by the appliance at boot time via rc.local’).
- [T1505.003] Server Software Component: Web Shell – SLAYSTYLE web shells were deployed to Tomcat Manager to execute commands and facilitate further activity (‘resulted in the deployment of a malicious WAR file containing a SLAYSTYLE web shell’).
- [T1090] Proxy – iptables rules were used to proxy and redirect traffic and implement Single Packet Authorization, approving specific source IPs and redirecting port 443 to 10443 (‘iptables … monitoring incoming traffic on port 443 for a specific HEX string’ and associated redirect rules).
- [T1071] Application Layer Protocol – Command-and-control used WebSocket-based C2 endpoints (wss://) for backdoor communications (‘wss://149.248.11.71/rest/apisession’).
Indicators of Compromise
- [File Hashes] GRIMBOLT/BRICKSTORM/SLAYSTYLE samples – 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c, dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591, and 6 more hashes.
- [File Names] Known malicious artifacts and upload names – default_jsp.java, support/out_elf_2, splisten, and 2 more filenames.
- [C2 Endpoints / IPs] Command-and-control endpoints observed – wss://149.248.11.71/rest/apisession (C2 endpoint), 149.248.11.71 (C2 IP).
- [File Paths / Configs] Tomcat and persistence artifacts – /home/kos/tomcat9/tomcat-users.xml (hard-coded admin credentials), /home/kos/kbox/src/installation/distribution/convert_hosts.sh (modified for persistence).