Your Backup Was the Backdoor

**Executive summary:** Mandiant and Google TAG attribute active, long-running exploitation of a critical Dell RecoverPoint for VMs vulnerability (CVE-2026-22769, CVSS 10.0) to a suspected China-linked cluster (UNC6201); attackers used embedded Tomcat credentials to upload WAR web shells (SLAYSTYLE), install persistent backdoors (BRICKSTORM, later GRIMBOLT), and pivot into vCenter/ESXi via Ghost NICs and Single Packet Authorization to clone high-value VMs and maintain stealthy, long-term access.