VERY IMPORTANT

UNC6201, a suspected PRC-nexus threat group, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. The group uses this flaw for lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new backdoor called GRIMBOLT. GRIMBOLT, written in C# and compiled using native AOT, represents a shift in tradecraft designed to complicate analysis and improve performance. The actors also employed novel tactics to pivot into VMware infrastructure, including 'Ghost NICs' creation and iptables for Single Packet Authorization. Dell has released patches for the vulnerability, and the post provides detailed technical analysis, detection opportunities, and hardening guidance.