Executive Summary
A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, has been actively exploited by the China-nexus threat cluster UNC6201 to deploy persistent backdoors and maintain covert access to enterprise infrastructure. The vulnerability stems from hard-coded administrative credentials stored in the Apache Tomcat configuration, allowing attackers to authenticate to the Tomcat Manager interface and deploy malicious WAR archives. UNC6201 leveraged this access to deploy multiple malware families, including the SLAYSTYLE web shell, BRICKSTORM backdoor, and the GRIMBOLT persistent backdoor.
Attackers established persistence by modifying internal RecoverPoint system scripts responsible for host configuration, ensuring malware execution during system operations. They also redirected network traffic using iptables-based covert channels and created temporary network interfaces to pivot into internal infrastructure. Because RecoverPoint appliances operate with elevated privileges and integrate directly with enterprise disaster recovery and VMware environments, exploitation enables long-term stealth access, infrastructure monitoring, and strategic enterprise compromise.
Background on UNC6201
UNC6201 is a China-nexus advanced persistent threat (APT) cluster known for targeting enterprise infrastructure appliances, particularly systems involved in backup, disaster recovery, and virtualization management. Their operations prioritize stealth persistence, covert access, and long-term espionage through the compromise of high-value infrastructure.
In this campaign, UNC6201 deployed multiple malware families to maintain access and evade detection:
SLAYSTYLE
A malicious WAR-based web shell deployed through the Apache Tomcat Manager interface, allowing persistent remote command execution on compromised RecoverPoint appliances.
BRICKSTORM
A Go-based backdoor designed to provide persistent access, execute attacker commands, and maintain remote control over infected systems.
GRIMBOLT
A C#-based persistent backdoor compiled using Native Ahead-of-Time (AOT) compilation and packed with UPX. GRIMBOLT enables long-term persistence, remote command execution, and command-and-control communication over WebSocket connections.
By compromising RecoverPoint appliances, UNC6201 gains privileged access to infrastructure connected to enterprise storage systems, VMware ESXi hosts, and disaster recovery environments.
Vulnerability Details
CVE-ID: CVE-2026-22769
CVSS Score: 10.0 (Critical severity)
Vulnerability Type: Use of Hard-coded Credentials (CWE-798)
Affected Software: Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1
Patched in: Dell RecoverPoint for Virtual Machines 6.0.3.1 HF1
The vulnerability is caused by hard-coded administrative credentials stored in the Apache Tomcat user configuration file:
/home/kos/tomcat9/conf/tomcat-users.xml
These credentials allow attackers to authenticate to the Apache Tomcat Manager interface:
/manager/text/deploy
Attackers used this interface to upload malicious WAR archives containing web shells.
Observed malicious deployment request:
PUT /manager/text/deploy?path=/slaystyle&update=true
Uploaded WAR files were deployed to the following Tomcat directories:
/var/lib/tomcat9
/var/cache/tomcat9/Catalina
These malicious WAR archives enabled attackers to execute arbitrary code through the Tomcat service, establishing persistent remote access.
Infection Method
The UNC6201 attack leveraging CVE-2026-22769 follows this chain:
UNC6201 operated within compromised enterprise environments and identified exposed Dell RecoverPoint appliances running Apache Tomcat. Attackers extracted hard-coded credentials from /home/kos/tomcat9/conf/tomcat-users.xml. These credentials allowed authentication to /manager/text/deploy.
With the command ‘PUT /manager/text/deploy?path=/slaystyle&update=true’, attackers deployed the SLAYSTYLE web shell into /var/lib/tomcat9 and /var/cache/tomcat9/Catalina, along with additional persistent malware: the BRICKSTORM backdoor and the GRIMBOLT persistent backdoor.
Attackers modified the RecoverPoint system script /home/kos/kbox/src/installation/distribution/convert_hosts.sh, which executes during system operations, ensuring persistent malware execution. They then implemented traffic redirection using iptables rules such as:
iptables -I INPUT -i eth0 -p tcp --dport 443 -m string --hex-string <HEX_PATTERN>
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 10443
This enabled covert access using Single Packet Authorization (SPA) techniques.
UNC6201 created temporary network interfaces to pivot into internal infrastructure and communicate with additional enterprise systems. GRIMBOLT established WebSocket-based C2 communications:
149.248.11.71
wss://149.248.11.71/rest/apisessionMalware Behavior and Capabilities
UNC6201 deployed multiple malware families providing persistence, stealth, and remote control capabilities:
Persistent Web Shell Access (SLAYSTYLE): Allows attackers to execute commands through malicious Tomcat web application deployment.
Persistent Backdoor Access (GRIMBOLT):
- Remote shell access
- Persistent command execution
- WebSocket-based command-and-control communication
- Long-term stealth persistence
Compiled using Native AOT and packed with UPX for evasion.
Initial Backdoor Access (BRICKSTORM):
- Remote command execution
- Persistent system access
- Infrastructure reconnaissance
Techniques Include (MITRE ATT&CK Mapping)
T1078 – Valid Accounts
Authentication using hard-coded credentials stored in the Tomcat configuration file to access the Tomcat Manager interface.
T1505.003 – Server Software Component: Web Shell
Deployment of the SLAYSTYLE web shell via malicious WAR archive uploaded through the Tomcat Manager deployment endpoint.
T1105 – Ingress Tool Transfer
Transfer and deployment of BRICKSTORM and GRIMBOLT backdoor payloads to the compromised RecoverPoint appliance.
T1059 – Command and Scripting Interpreter
Execution of attacker-controlled commands via the deployed SLAYSTYLE web shell and persistent backdoors.
T1547.004 – Boot or Logon Initialization Scripts: RC Scripts
Persistence established by modifying the RecoverPoint system script to execute malicious backdoor components at system startup.
T1562 – Impair Defenses
Use of iptables traffic redirection rules to conceal malicious access channels and evade detection.
T1572 – Protocol Tunneling
Redirection of inbound network traffic via iptables to attacker-controlled ports for covert remote access.
T1021 – Remote Services
Use of network services and temporary interfaces to enable lateral movement and remote command execution.
T1071.001 – Application Layer Protocol: Web Protocols
Command-and-control communication using WebSocket connections over HTTPS to attacker infrastructure.
Visual: UNC6201 RecoverPoint Attack Flow
[Initial Enterprise Compromise]
-> [Discovery of RecoverPoint Appliance]
-> [Extraction of Hard-coded Tomcat Credentials]
-> [Authentication to Tomcat Manager Interface]
-> [Deployment of SLAYSTYLE Web Shell]
-> [Command Execution on RecoverPoint Appliance]
-> [Deployment of BRICKSTORM Backdoor]
-> [Deployment of GRIMBOLT Persistent Backdoor]
-> [Persistence via convert_hosts.sh Script Modification]
-> [iptables Traffic Redirection and Covert Access]
-> [Temporary Network Interface Creation for Internal Pivoting]
-> [Command and Control Communication via WebSocket]
This flow demonstrates how UNC6201 leveraged hard-coded credentials to deploy persistent backdoors and maintain covert infrastructure access.
IOCs (Indicators of Compromise)
Command and Control Infrastructure
149.248.11.71
wss://149.248.11.71/rest/apisession
Malware Families, File Names and SHA-256
| GRIMBOLT | support | 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c |
| GRIMBOLT | out_elf_2 | dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591 |
| SLAYSTYLE | default_jsp.java | 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a |
| BRICKSTORM | N/A | aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 |
| BRICKSTORM | splisten | 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df |
| BRICKSTORM | N/A | 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759 |
| BRICKSTORM | N/A | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 |
| BRICKSTORM | N/A | 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830 |
Suspicious File Locations
/home/kos/tomcat9/conf/tomcat-users.xml
/var/lib/tomcat9
/var/cache/tomcat9/Catalina
/home/kos/kbox/src/installation/distribution/convert_hosts.sh
Suspicious Commands
PUT /manager/text/deploy?path=/slaystyle&update=true
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 10443
Mitigation Steps
- Apply Security Updates: Update Dell RecoverPoint for Virtual Machines to 6.0.3.1 HF1 or higher.
- /home/kos/tomcat9/conf/tomcat-users.xml should be reviewed for unauthorized access or credential exposure.
- Inspect deployment directories /var/lib/tomcat9 and /var/cache/tomcat9/Catalina
- Review /home/kos/kbox/src/installation/distribution/convert_hosts.sh for unauthorized modifications.
- Monitor Network Communications: Investigate suspicious outbound connections, especially WebSocket traffic.
- Search for indicators related to SLAYSTYLE, BRICKSTORM, and GRIMBOLT malware.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.