Do Son 
A high-risk zero-day vulnerability in Dellβs virtualization software has become the playground for a sophisticated espionage campaign. In a joint report, Mandiant and Google Threat Intelligence Group (GTIG) have revealed that a suspected PRC-nexus threat cluster, tracked as UNC6201, has been exploiting a maximum-severity flaw (CVSS 10.0) in Dell RecoverPoint for Virtual Machines since at least mid-2024 to infiltrate organizations and deploy a novel backdoor.
The vulnerability, tracked as CVE-2026-22769, allows attackers to gain a foothold in the virtualization layer, from which they have launched a suite of malware tools, including SLAYSTYLE, BRICKSTORM, and the newly identified GRIMBOLT.
While UNC6201 has been active for some time, their toolkit has undergone a significant upgrade. The report highlights a shift in September 2025, where the group began replacing their older BRICKSTORM binaries with a new, more advanced backdoor named GRIMBOLT.
“GRIMBOLT represents a shift in tradecraft; this newly identified malware, written in C# and compiled using native ahead-of-time (AOT) compilation, is designed to complicate static analysis and enhance performance on resource-constrained appliances,” the report explains.
This move to AOT compilation suggests a deliberate effort to evade detection by security tools that struggle to inspect compiled managed code, making the malware harder to reverse engineer.
The researchers discovered that UNC6201 was creating “Ghost NICs”βtemporary network ports on compromised ESXi serversβto silently pivot through the victim’s network.
“Mandiant discovered the threat actor creating new temporary network ports on existing virtual machines running on an ESXi server,” the report states. “Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations”.
To further secure their access, the attackers implemented a stealthy persistence mechanism involving iptables proxying. By deploying the SLAYSTYLE web shell, they configured the server to listen for a specific “knock”βa packet containing a unique HEX string.
“Once the initial approved traffic comes in to port 10443, any subsequent traffic is automatically redirected,” the report details. This “Single Packet Authorization” technique essentially makes the backdoor invisible to port scanners; the port appears closed until the secret knock is received, at which point it opens for exactly 300 seconds.
The report concludes that this activity underscores the evolving capabilities of UNC6201, a group that is “known to target edge appliances (such as VPN concentrators) for initial access” and is now digging deep into the virtualization stack to maintain long-term, stealthy control.
Related Posts:
- Multiple Dell EMC RecoverPoint Zero-Day Vulnerabilities
- Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data
- “Ghost Tap” Rising: New Wave of Android Malware Turns Phones into Digital Pickpockets
- Ghost Tap: NFC Fraud Surge Linked to Chinese Cybercriminal Groups
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
