Threat ID: TL-2026-0123 | Severity: CRITICAL | Status: ACTIVE
Actor: UNC6201 (Silk Typhoon) | Nation: China | Motivation: ESPIONAGE
MITRE Techniques: 33 | Detections: 9 | IOCs: 12+
CVSS 10.0. Hardcoded Tomcat Manager credentials. 393-day dwell time before disclosure. Dell RecoverPoint is the latest prize in UNC6201's virtualization infrastructure campaign.
On February 20, 2026, Mandiant and Google Threat Intelligence Group (GTIG) disclosed that CVE-2026-22769 has been actively exploited by UNC6201, a PRC-nexus espionage cluster, since at least mid-2024. The flaw — hardcoded Apache Tomcat Manager credentials baked into the appliance — grants unauthenticated attackers root-level remote code execution, enabling deployment of the BRICKSTORM, GRIMBOLT, and SLAYSTYLE malware families across virtualization infrastructure in North America, Europe, and Asia-Pacific. Hardcoded creds. In 2026.
Below: the exploitation chain, the novel Ghost NIC lateral movement technique, 33 MITRE ATT&CK mappings, and production-ready SPL, KQL, and Sigma detection queries.
CISA Analysis Report AR25-338A — BRICKSTORM backdoor malware analysis from Dell RecoverPoint exploitation incidents including IOCs and YARA rules.
Executive Summary
- What:
CVE-2026-22769is a hardcoded credential vulnerability (CWE-798) in Dell RecoverPoint for VMs versions 5.3 SP2 through 6.0 SP3 P1, enabling unauthenticated WAR file deployment and root RCE via the Tomcat Manager endpoint - Who: UNC6201, a suspected PRC-nexus actor with operational overlap to Silk Typhoon (UNC5221), attributed with HIGH confidence
- Impact: CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Exploitation grants full control of the RecoverPoint appliance and, through lateral movement, the entire VMware virtualization stack
- Status: Actively exploited since mid-2024. Dell released version 6.0.3.1 HF1 on February 17, 2026. CISA added to KEV catalog on February 20, 2026
- Detection: 9 production-ready detections available on Threadlinqs Intelligence
Technical Analysis
Dell RecoverPoint for Virtual Machines ships with an Apache Tomcat 9 instance at /home/kos/tomcat9/. The credentials for the Tomcat Manager admin account are hardcoded in /home/kos/tomcat9/tomcat-users.xml — readable to any unauthenticated attacker who can reach the management interface. Side note: hardcoded Tomcat Manager credentials in an enterprise backup product is a fundamental design failure, not just a bug.
The Tomcat Manager exposes /manager/text/deploy, which accepts WAR file uploads via HTTP PUT. Tomcat runs as root. Any code deployed through this endpoint executes with full system privileges. One PUT request. Root shell.
Attack Chain
The full kill chain observed by Mandiant across multiple intrusions follows a consistent five-phase pattern:
- Initial Access — UNC6201 authenticates to the Tomcat Manager using the hardcoded admin credential and deploys a malicious WAR file via
/manager/text/deploy. The SLAYSTYLE JSP webshell is the initial payload, granting interactive command execution as root.
- Persistence — The operator modifies
/home/kos/kbox/src/installation/distribution/convert_hosts.sh, a boot script, to re-establish backdoor access. RC script hijacking (T1037.004) ensures persistence survives appliance restarts. In September 2025, UNC6201 swapped BRICKSTORM (Go-based) for GRIMBOLT — the stage-2 is a C# native AOT-compiled binary packed with UPX, making static analysis significantly harder.
- Credential Theft — BRICKSTEAL, a malicious Tomcat servlet filter, intercepts credentials from vCenter authentication flows. The actor also targets NTDS.dit extractions (
T1003.003) and M365 application access tokens via MailItemsAccessed abuse for email exfiltration.
- Lateral Movement — The most distinctive technique: UNC6201 creates temporary virtual network interfaces on ESXi hosts — "Ghost NICs" — pivoting through the hypervisor into segmented management networks or SaaS environments. These interfaces are deleted after use, destroying forensic evidence. The operator also deploys iptables-based Single Packet Authorization (SPA), monitoring port 443 for specific hex strings to whitelist source IPs and redirect traffic to port 10443 for a 300-second window. Five minutes of access, then gone.
- Command and Control — GRIMBOLT phones home over WebSocket connections to
wss://149.248.11.71/rest/apisession. DNS-over-HTTPS tunneling via Cloudflare Workers provides a secondary callback channel. Multi-hop proxy chains through compromised SOHO routers obfuscate the true origin.
The Ghost in the NIC
The Ghost NIC technique deserves special attention. Traditional lateral movement in VMware environments relies on exploiting vCenter or ESXi management interfaces. UNC6201 takes a different approach: from a compromised VM, the actor creates a temporary virtual network interface on the underlying ESXi host, connecting it to an otherwise unreachable network segment. The actor pivots through this interface, performs reconnaissance or credential theft, then deletes the NIC entirely.
This leaves no persistent artifact on the ESXi host. Unless network flow telemetry or vSphere event logs captured the brief interface creation, defenders have no record of the lateral movement. 393 days undetected. The 393-day dwell time tells us this is not smash-and-grab — it's patient, methodical espionage. The technique clearly works.
Mandiant and Google Threat Intelligence Group — 'From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day' with full attack chain.
Threat Actor Profile
UNC6201 is a suspected PRC-nexus espionage cluster with operational overlap to Silk Typhoon (Microsoft designation) and connections to UNC5221. The actor targets technology, legal, SaaS, government, and BPO organizations across North America, Europe, and Asia-Pacific.
We observed that UNC6201 consistently targets systems that lack EDR coverage — edge appliances, virtualization infrastructure, and disaster recovery platforms. This deliberate selection of blind spots in enterprise security monitoring is a hallmark of advanced PRC-nexus operations.
The transition from BRICKSTORM (Go-based) to GRIMBOLT (C# native AOT with UPX packing) in September 2025 demonstrates active tooling evolution. As Mandiant researchers noted, GRIMBOLT is designed to blend in with a system's own native files, making it considerably harder to identify through filesystem analysis alone.
Detection
Threadlinqs Intelligence provides 9 production-ready detection rules for this threat across SPL, KQL, and Sigma formats.
Splunk SPL
This SPL surfaces Tomcat Manager WAR deployment activity — the initial exploitation vector for CVE-2026-22769.
SPLindex=web sourcetype=tomcat:access OR sourcetype=stream:http
| where (uri_path LIKE "%/manager/text/deploy%" OR uri_path LIKE "%/manager/html/upload%")
AND (http_method="PUT" OR http_method="POST")
| eval war_deploy=if(like(uri_path, "%/manager/text/deploy%"), "text_api", "html_upload")
| stats count earliest(_time) as first_seen latest(_time) as last_seen
values(src_ip) as source_ips values(uri_path) as deploy_paths
values(war_deploy) as deploy_method by dest_ip
| where count > 0
| eval alert_severity="critical"
Catching SLAYSTYLE webshell creation and GRIMBOLT boot script persistence in Splunk:
SPLindex=os sourcetype=syslog OR sourcetype=linux:audit
| search (file_path="/tomcat/webapps/.jsp" AND action="created")
OR (file_path="convert_hosts.sh" AND action="modified")
OR (file_path="/home/kos/" AND file_name=".war")
| eval indicator=case(
like(file_path, "%.jsp"), "webshell_deploy",
like(file_path, "%convert_hosts%"), "boot_persistence",
like(file_path, "%.war"), "war_upload"
)
| stats count by host, file_path, indicator, action
| eval alert_severity=if(indicator="boot_persistence", "critical", "high")
Microsoft KQL
This KQL query detects GRIMBOLT WebSocket C2 communication and Ghost NIC creation on VMware infrastructure.KQLlet ghost_nic_events = VMwareSyslog
| where TimeGenerated > ago(7d)
| where SyslogMessage has_any ("net-dvs -a", "esxcli network vswitch", "AddVirtualNic")
| where SyslogMessage !has "vmk0"
| project TimeGenerated, Computer, SyslogMessage, EventType="ghost_nic_creation";
let websocket_c2 = CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DestinationIP == "149.248.11.71"
or RequestURL has "/rest/apisession"
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, EventType="grimbolt_c2";
union ghost_nic_events, websocket_c2
| summarize EventCount=count(), FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated) by Computer, EventType
Sigma
This Sigma rule detects access to the hardcoded credential file and iptables SPA rule creation — two behavioral markers of UNC6201 post-exploitation.SIGMAtitle: Dell RecoverPoint Hardcoded Credential Access and SPA Rule Creation
id: 7e3b1a2f-9c4d-4f8e-b5a6-1d2e3f4a5b6c
status: experimental
description: >
Detects access to tomcat-users.xml (hardcoded credentials) and
iptables rules with hex-string matching combined with port REDIRECT,
indicating Single Packet Authorization for covert C2 channels.
references:
- https://intel.threadlinqs.com/#TL-2026-0123
- https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.initial_access
- attack.t1078.001
- attack.persistence
- attack.t1037.004
- attack.command_and_control
logsource:
category: process_creation
product: linux
detection:
sel_cred_access:
CommandLine|contains:
- 'tomcat-users.xml'
- '/home/kos/tomcat9/'
sel_spa_iptables:
CommandLine|contains|all:
- 'iptables'
- '-m string --hex-string'
- 'REDIRECT --to-port'
condition: sel_cred_access or sel_spa_iptables
falsepositives:
- Legitimate Tomcat administration on RecoverPoint appliances
- Authorized iptables configuration changes
level: critical
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
The Hacker News reporting on Dell RecoverPoint for VMs zero-day CVE-2026-22769 — exploited by Chinese state-backed UNC6201 since mid-2024.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| IP | 149.248.11.71 | GRIMBOLT WebSocket C2 endpoint |
| URL | wss://149.248.11.71/rest/apisession | GRIMBOLT WebSocket C2 URI |
| Protocol | DNS-over-HTTPS via Cloudflare Workers | BRICKSTORM secondary C2 channel |
| Port | 10443 (redirected from 443) | SPA-gated backdoor listener |
File Indicators
| Type | Indicator | Context |
|---|---|---|
| File Path | /home/kos/tomcat9/tomcat-users.xml | Hardcoded credential file |
| File Path | /home/kos/kbox/src/installation/distribution/convert_hosts.sh | Boot persistence script |
| File Path | /var/lib/tomcat9/webapps/.jsp | SLAYSTYLE webshell deployment location |
| File Path | /var/cache/tomcat9/Catalina/ | WAR file extraction cache |
| Endpoint | /manager/text/deploy | Tomcat Manager WAR deployment API |
Behavioral Indicators
- UPX-packed binaries in
/home/kos/directories (GRIMBOLT) - Temporary virtual NIC creation/deletion on ESXi hosts (Ghost NIC)
- iptables rules with hex-string matching and REDIRECT to port 10443 (SPA)
sedmodifications to boot scripts referencingconvert_hosts.sh- Tomcat servlet filter additions not matching baseline (BRICKSTEAL)
- WebSocket connections to
/rest/apisessionendpoints on non-standard IPs
Timeline
| Date | Event |
|---|---|
| 2024-06-01 | Earliest confirmed exploitation. UNC6201 deploys BRICKSTORM and SLAYSTYLE via CVE-2026-22769 |
| 2025-01-01 | GTIG publishes BRICKSTORM campaign research covering Silk Typhoon overlaps |
| 2025-03-01 | Mandiant responds to multiple intrusions across tech, legal, SaaS, and BPO sectors |
| 2025-09-01 | UNC6201 replaces BRICKSTORM with GRIMBOLT (C# native AOT, UPX-packed) |
| 2025-12-01 | CISA publishes Analysis Report AR25-338a on BRICKSTORM VMware compromise |
| 2026-02-17 | Dell publishes Security Advisory DSA-2026-079. Version 6.0.3.1 HF1 released |
| 2026-02-17 | NVD publishes CVE-2026-22769 with CVSS 10.0 score |
| 2026-02-20 | Mandiant/GTIG releases full technical blog with YARA rules, IOCs, and forensic guidance |
| 2026-02-20 | CISA adds CVE-2026-22769 to Known Exploited Vulnerabilities catalog |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | CVE-2026-22769 Tomcat Manager exploitation |
| Initial Access | Valid Accounts: Default Accounts | T1078.001 | Hardcoded Tomcat admin credentials |
| Execution | Unix Shell | T1059.004 | Post-exploitation command execution via webshell |
| Persistence | Web Shell | T1505.003 | SLAYSTYLE JSP webshell deployment |
| Persistence | RC Scripts | T1037.004 | Boot script modification via convert_hosts.sh |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Root execution via Tomcat process |
| Defense Evasion | Software Packing | T1027.002 | GRIMBOLT UPX packing |
| Defense Evasion | Timestomp | T1070.006 | File timestamp manipulation to avoid detection |
| Defense Evasion | Match Legitimate Name | T1036.005 | GRIMBOLT native AOT blending with system files |
| Credential Access | Credentials In Files | T1552.001 | Tomcat credential file harvesting |
| Credential Access | NTDS | T1003.003 | Active Directory credential extraction |
| Credential Access | Steal Application Access Token | T1528 | M365 token theft via MailItemsAccessed |
| Lateral Movement | Exploitation of Remote Services | T1210 | Ghost NIC-based VMware pivoting |
| Lateral Movement | SSH | T1021.004 | SSH lateral movement between VMs and ESXi hosts |
| Command and Control | Web Protocols | T1071.001 | WebSocket C2 over HTTPS |
| Command and Control | Protocol Tunneling | T1572 | DNS-over-HTTPS via Cloudflare Workers |
| Command and Control | Encrypted Channel | T1573.002 | Asymmetric crypto on WebSocket C2 |
| Exfiltration | Exfiltration Over C2 | T1041 | Data exfiltration via GRIMBOLT channel |
Full MITRE ATT&CK mapping with 33 techniques: View coverage on Threadlinqs
TL-2026-0123 on Threadlinqs Intelligence — Dell RecoverPoint zero-day (CVE-2026-22769, CVSS 10.0) exploited by UNC6201/Silk Typhoon with ACTIVE exploitation status.
Recommendations
- Patch immediately. Upgrade Dell RecoverPoint for VMs to version 6.0.3.1 HF1. For version 5.3 SP4 P1, migrate to 6.0 SP3 first, then apply the hotfix. If immediate patching is not possible, apply the Dell remediation script per KB 000426742.
- Isolate RecoverPoint appliances from general network access. Restrict the Tomcat Manager interface to trusted admin IPs only. Block external access at the perimeter firewall.
- Hunt for existing compromise. Inspect
/home/kos/auditlog/fapi_cl_audit_log.logfor Tomcat Manager requests, check/var/lib/tomcat9for unexpected WAR/JSP files, and reviewconvert_hosts.shfor unauthorized modifications. Deploy Mandiant's published YARA rules. - Segment VMware management networks. Deploy network segmentation isolating RecoverPoint from the vCenter/ESXi management plane. Enable vSphere lockdown mode and enforce MFA for vCenter access.
- Monitor for Ghost NIC activity. Centralize ESXi and vCenter logs. Alert on temporary virtual NIC creation, unauthorized SSH enablement, and iptables rules with hex-string matching.
References
- From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint Zero-Day — Mandiant/GTIG, February 20, 2026
- Dell Security Advisory DSA-2026-079 — Dell, February 17, 2026
- CVE-2026-22769 — NVD, February 17, 2026
- CISA Known Exploited Vulnerabilities: CVE-2026-22769 — CISA, February 20, 2026
- CISA Analysis Report AR25-338a: BRICKSTORM VMware Compromise — CISA, December 2025
- Dell RecoverPoint Zero-Day CVE-2026-22769 Exploited Since Mid-2024 — The Hacker News, February 2026
- Chinese hackers exploited zero-day Dell RecoverPoint flaw for 1.5 years — CSO Online, February 2026
- MITRE ATT&CK T1190: Exploit Public-Facing Application — MITRE
- MITRE ATT&CK T1078.001: Valid Accounts: Default Accounts — MITRE
- MITRE ATT&CK T1505.003: Web Shell — MITRE
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0123.*