Back to threat alerts

CVE-2026-22769: UNC6201 Exploitation of Dell RecoverPoint for Virtual Machines Zero-Day

Exploitation of CVE-2026-22769, a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVSS 10.0), represents a tactical pivot by the PRC-nexus threat cluster UNC6201. As organisations strengthen traditional endpoint defenses, this actor has redirected focus toward the "security blind spots" of enterprise infrastructure, providing a quiet environment for high-fidelity espionage.

Threat alert
February 18, 2026

UNC6201 employs a multi-stage entry strategy. In early 2026, the group utilised sophisticated voice phishing (vishing) to harvest Single Sign-On (SSO) and Multi-Factor Authentication (MFA) codes. Once an identity is compromised, the actor ransacks cloud SaaS applications for sensitive documents containing keywords like "poc," "confidential," or "proposal" to further their objectives.

CVE-2026-22769

The vulnerability stems from a hardcoded credential within the integrated Apache Tomcat Manager instance on the Dell appliance. In versions prior to 6.0.3.1 HF1, a static administrator password allows unauthenticated remote attackers to access the "/manager/text/deploy" endpoint.

By exploiting this flaw, attackers deploy a malicious Web Application Archive (WAR) file. Because the Tomcat service executes with elevated privileges, the payload runs with root permissions which grants the attacker full control over the underlying Linux operating system and a bridge to deploy more specialised backdoors.

Component Type Primary Role Technical Distinction
SLAYSTYLE Web Shell Initial Foothold ava-based (WAR) shell providing root-level command execution and file management immediately after exploitation.
BRICKSTORM Backdoor Persistence Go-based socket backdoor using DNS over HTTPS (DoH) via public providers (Google/Cloudflare) to blend C2 traffic with legitimate requests.
GRIMBOLT Backdoor Stealth Persistence A novel C# backdoor utilising Native AOT compilation, which removes metadata to complicate static analysis and reduce the system footprint.
Stealth Tactics in Virtualised Environments

UNC6201 utilises virtualisation-specific techniques to bypass standard network telemetry and security monitoring.

The "Ghost NIC" Mechanism

Treat actor establishes stealthy network pivots by creating temporary network ports on virtual machines within an ESXi server. By attaching these "Ghost NICs" to specific virtual switches, they bridge isolated network segments and establish direct paths to external Command and Control (C2) infrastructure. Once the objective is met, the NICs are deleted, leaving virtually no trace in hardware configuration logs.

Single Packet Authorisation (SPA)

To hide listener ports on compromised vCenter appliances, UNC6201 uses iptables to monitor port 443 for a specific hexadecimal string. When the HEX trigger is identified, the source IP is dynamically added to an allow-list, granting access to the actual backdoor port (10443). This ensures the management port remains closed and invisible to unauthorised scanners.

Cloning and Account Sabotage

The group frequently utilises high-privileged accounts to clone sensitive VMs for offline credential extraction, deleting the clones shortly after. They also create local accounts on vCenter and ESXi hosts (often mimicking legitimate service accounts) and add them to the BashShellAdministrators group. These accounts are purged immediately after the malware installation is complete to minimise their footprint.

Required Logs and Forensic Telemetry

Detecting UNC6201 requires the collection and analysis of logs from various levels of the infrastructure, as the actor deliberately targets systems that do not generate standard EDR telemetry.

Log Source Location Technical Value & Investigation Steps
Tomcat Audit Log /home/kos/auditlog/fapi_cl_audit_log.log Records all requests to the /manager endpoint. Search for PUT requests to the /manager endpoint or paths containing malicious WAR files.
Tomcat App Logs /var/log/tomcat9/ Includes Catalina and Localhost logs. Investigate HostConfig.deployWAR events and exceptions in Catalina/Localhost logs.
SSO Audit Events /var/log/audit/sso-events/audit_events.log Records the creation and deletion of local vCenter/ESXi accounts used for lateral movement and persistence.
vSphere VPXD Logs /var/log/vmware/vpxd/vpxd.log Monitor for anomalous VM clone events, power cycles, or snapshot creations.
Systemd Journal journalctl Records commands executed via web shells; essential for identifying iptables manipulation for Single Packet Authorization (SPA) or other shell activity.
WAR File Storage /var/lib/tomcat9 & /var/cache/tomcat9/Catalina Forensic Artifacts: Directory where uploaded SLAYSTYLE WAR files and their compiled artifacts are stored for disk image analysis.
Persistence Scripts /home/kos/kbox/src/installation/distribution/convert_hosts.sh Forensic Artifacts: Check for unauthorized modifications injecting paths to BRICKSTORM or GRIMBOLT.
Recommendations:
  • Patching: Upgrade all Dell RecoverPoint for Virtual Machines instances to 6.0.3.1 HF1 or later. If an immediate upgrade is impossible, apply the remediation script in Dell Security Advisory DSA-2026-079.
  • Password Rotation: Rotate all administrative passwords associated with the Tomcat Manager and the underlying operating system. Implement egress filtering to restrict appliance traffic to verified manufacturer update domains.
  • Zero-Trust Access: Implement identity-based access controls for appliance management interfaces, ensuring that all access requires MFA from a trusted device.
  • Integrity Monitoring: Implement file integrity monitoring (FIM) for critical system scripts such as rc.local and application configuration files.
  • Logging and Visibility: Centralise logs from Tomcat, vCenter, and ESXi hosts into a SIEM for proactive hunting and automated alerting.