From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

Mandiant and Google Threat Intelligence Group report that UNC6201 has actively exploited a critical zero‑day (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines since mid‑2024 to deploy SLAYSTYLE web shells, BRICKSTORM, and a novel native AOT C# backdoor called GRIMBOLT, enabling root execution, persistence via modified startup scripts, and advanced VMware pivoting techniques (Ghost NICs and iptables-based Single Packet Authorization); Dell has published remediations and the report provides detection and hardening guidance.