Mandiant and the Google Threat Intelligence Group (GTIG) identified an actively exploited zero-day vulnerability in Dell RecoverPoint for Virtual Machines, attributed to the UNC6201 threat group. In a report titled ‘From BRICKSTORM to GRIMBOLT,’ researchers detail how the actor is exploiting the flaw to evolve its tradecraft and expand access within victim environments. The vulnerability, caused by hard-coded credentials, enables unauthenticated access and the deployment of persistent backdoors, creating a direct pathway into backup and disaster recovery systems.
Although Dell has released mitigations, security experts warn that organizations must move quickly to apply patches and monitor for indicators of compromise. The risk is particularly acute in OT (operational technology) and ICS (industrial control system) environments, where backup infrastructure often intersects with critical operations and could provide attackers with a foothold into sensitive networks.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) once again updated its Brickstorm Backdoor Malware Analysis Report, developed in coordination with the National Security Agency and the Canadian Centre for Cyber Security. The revised report adds technical analysis and detection signatures for a newly identified Brickstorm variant that leverages [dot]NET Native Ahead-of-Time compilation, increasing its versatility and complicating detection efforts. The update delves into the variant’s functionality and offers new YARA rules to support detection.
Previous joint analysis released with U.S. and allied partners describes how the malware enables command execution, file transfer, and lateral movement while blending into legitimate system activity, complicating detection and response.
Industrial cybersecurity reporting has highlighted that such activity is not confined to traditional IT environments. Across critical infrastructure sectors, where virtualization platforms increasingly support energy, manufacturing, water, and transportation operations, compromise of that layer can create indirect but serious operational risk. By targeting the systems that manage data flow, backups, and orchestration, Brickstorm demonstrates how adversaries can position themselves inside the digital backbone of critical infrastructure, potentially disrupting service delivery without ever directly touching the control layer.
The latest report expands on earlier GTIG research into Brickstorm espionage activity, offering a detailed technical analysis of CVE‑2026‑22769 exploitation and the capabilities of Grimbolt malware. In September 2025, Mandiant observed a campaign replacing older Brickstorm binaries with Grimbolt. Representing an evolution in tradecraft, Grimbolt is written in C# and compiled with native ahead-of-time (AOT) compilation to hinder static analysis and optimize performance on resource-constrained appliances.
“Mandiant discovered CVE-2026-22769 while investigating multiple Dell RecoverPoint for Virtual Machines within a victim’s environment that had active C2 associated with BRICKSTORM and GRIMBOLT backdoors,” Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., and Rich Reece, Mandiant researchers wrote in a Wednesday blog post. “During analysis of the appliances, analysts identified multiple web requests to an appliance prior to compromise using the username admin. These requests were directed to the installed Apache Tomcat Manager, used to deploy various components of the Dell RecoverPoint software, and resulted in the deployment of a malicious WAR file containing a SLAYSTYLE web shell.”
They added that after analyzing various configuration files belonging to Tomcat Manager, “we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the /manager/text/deploy endpoint, and then execute commands as root on the appliance.”
During the course of the recent investigations, Mandiant observed continued compromise of VMware virtual infrastructure by the threat actor, as previously reported by Mandiant and CrowdStrike. Additionally, several new TTPs were discovered that haven’t been previously reported on.
Mandiant discovered the threat actor creating new temporary network ports on existing virtual machines running on an ESXi server. Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations.
While analyzing compromised vCenter appliances, Mandiant recovered commands from the Systemd Journal showing that the threat actor used a deployed SLAYSTYLE web shell to execute iptables rules enabling Single Packet Authorization.
The commands monitored incoming traffic on port 443 for a specific hexadecimal string and added the source IP address of matching traffic to an approved list. If an IP address on that list subsequently connected to port 10443, the connection was accepted. After the initial approved traffic reached port 10443, subsequent traffic was automatically redirected. For the next 300 seconds, or five minutes, any traffic to port 443 from an approved IP address was silently redirected to port 10443.
To support remediation efforts, investigators must conduct full disk image analysis of affected Dell RecoverPoint for Virtual Machines systems. High-value forensic artifacts include Tomcat Manager web logs, where any requests to /manager should be treated as suspicious. Additional insight can be gained from Tomcat application logs, particularly Catalina entries related to deployWAR events and any exceptions tied to malicious files.
Investigators should also review localhost logs for deployment activity. Persistence mechanisms for Brickstorm and Grimbolt were established by modifying the convert_hosts[dot]sh script to include the path to the backdoor, ensuring continued access.
Just last week, the GTIG disclosed that the defense industrial base is facing sustained and multifaceted cyber pressure from state-sponsored actors, criminal groups, and hacktivists, with targeting extending beyond military systems into defense contractors, personnel, and supply chains. GTIG identified several recurring themes, including Russia-nexus activity focused on defense firms supporting battlefield technologies in the Russia-Ukraine War, particularly organizations linked to unmanned aircraft systems, alongside growing exploitation of recruitment processes and employee access across global defense and aerospace firms.
