GRIMBOLT

An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control

Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769... UNC6201... has exploited this flaw since at least mid-2024

"...the malware enables command execution, file transfer, and lateral movement..." and "...upload a malicious WAR file... and then execute commands as root on the appliance."

GRIMBOLT is a C#-written foothold backdoor... It provides a remote shell capability...

To maintain persistence, UNC6201 modifies the legitimate convert_hosts.sh script, ensuring the backdoor executes automatically at system boot via rc.local.

UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local .

An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control

the bug, tracked as CVE-2026-22769, was used to deploy a newer version of the Brickstorm backdoor malware that GTIG now calls Grimbolt

UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.

execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT

UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.

"Persistence mechanisms for Brickstorm and Grimbolt were established by modifying the convert_hosts[dot]sh script to include the path to the backdoor..."

To maintain persistence, UNC6201 modifies the legitimate convert_hosts.sh script, ensuring the backdoor executes automatically at system boot via rc.local.

UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local .

"executing commands as root"

An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control

execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT

UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.

"Persistence mechanisms for Brickstorm and Grimbolt were established by modifying the convert_hosts[dot]sh script to include the path to the backdoor..."

GRIMBOLT is written in C# and compiled using Native Ahead-of-Time (AOT) compilation... removing Common Intermediate Language (CIL) metadata that security tools typically scan. The malware is further packed with UPX to complicate static analysis.

An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control

uses “ghost NICs” on virtual machines to avoid defenders... created virtual NICs on virtual machines to perform malicious activities, and then deleted those NICs.

UNC6201 exploited a hardcoded administrator password in Apache Tomcat that was used by the Dell backup gear.

The threat actor created virtual NICs on virtual machines to perform malicious activities, and then deleted those NICs.

these two additional IP addresses both had the same 3389 (RDP) port open as well

“UNC6201 ... has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access...” and “contain a hardcoded credential vulnerability... unauthenticated remote attacker... leading to unauthorized access...”

Mandiant identified a campaign featuring the replacement of older BRICKSTORM binaries with GRIMBOLT in September 2025.

"they noticed the systems were communicating with hacker-controlled command and control servers associated with BRICKSTORM and GRIMBOLT backdoors"

"GRIMBOLT established WebSocket-based C2 communications: 149.248.11.71 wss://149.248.11.71/rest/apisession"

The attackers employ a stealthy traffic management technique known as Single Packet Authorization (SPA) using iptables... When this magic packet is detected, the source IP address is added to an allowlist.

suspected China-nexus threat cluster UNC6201 has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt.

...drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT... While GRIMBOLT also provides a remote shell capability...

"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 10443"

This technique effectively hides the command and control (C2) channel from casual observation and automated scanning.

"They then implemented traffic redirection using iptables rules... This enabled covert access using Single Packet Authorization (SPA) techniques."