On February 17, 2026, Dell patched a maximum-severity vulnerability in its RecoverPoint for Virtual Machines product. The flaw — CVE-2026-22769 — is a hardcoded administrator credential with a perfect CVSS score of 10.0. According to Mandiant and Google's Threat Intelligence Group, a suspected Chinese state-linked group had already been exploiting it since at least mid-2024. That's 18 months of root-level access to enterprise backup infrastructure, with no detection, no alerts, and no patches. The attackers deployed three malware families, invented stealth networking techniques that don't appear in any playbook, and they're likely still inside environments that haven't been remediated.
There is a category of vulnerability that makes security professionals physically uncomfortable. Hardcoded credentials is one of them. Not because the exploitation is sophisticated — it's the opposite. Someone left a default admin password in a configuration file. That file shipped in a production enterprise product. And a nation-state espionage group found it before Dell did.
Dell RecoverPoint for Virtual Machines is a data protection and disaster recovery solution for VMware environments. It replicates virtual machines, manages backup schedules, and enables recovery in the event of a failure. It sits deep inside enterprise infrastructure, connected to VMware vCenter and ESXi hosts, with broad access to the virtualized environment. It is, by design, a trusted component with elevated privileges. And for at least 18 months, it was a wide-open door for Chinese intelligence operations.
The Vulnerability: A Hardcoded Password With a Perfect 10
| CVE | CVE-2026-22769 |
|---|---|
| CVSS Score | 10.0 Critical |
| Vulnerability Type | Hardcoded Credentials (CWE-798) |
| Affected Product | Dell RecoverPoint for Virtual Machines (versions prior to 6.0.3.1 HF1) |
| Exploitation Status | Actively exploited since mid-2024 |
| Attributed To | UNC6201 (suspected PRC-nexus) |
| Primary Sources | Google / Mandiant GTIG Report, Feb 18 2026 • Dell DSA-2026-079 |
Dell RecoverPoint for Virtual Machines runs Apache Tomcat as its web server. During development, someone embedded a default set of admin credentials in the Tomcat Manager configuration file at /home/kos/tomcat9/tomcat-users.xml. Those credentials were never removed before the product shipped. Every version of RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contained them.
The implications are straightforward: any unauthenticated remote attacker who knew (or guessed) the hardcoded password could log into the Tomcat Manager interface, upload a malicious WAR file via the /manager/text/deploy endpoint, and execute arbitrary commands as root on the underlying appliance. No exploit development required. No memory corruption. No race condition. Just a username and password that should never have existed outside of a development environment.
Dell's advisory states that an unauthenticated remote attacker with knowledge of the hardcoded credential could gain unauthorized access to the underlying operating system and root-level persistence. RecoverPoint Classic is not affected — only RecoverPoint for Virtual Machines. Dell has released both an upgrade path (6.0.3.1 HF1) and a remediation script for environments that cannot immediately upgrade. Source: Dell Security Advisory DSA-2026-079.
Dell published its security advisory (DSA-2026-079) on February 17, 2026, and acknowledged that it had received a report of limited active exploitation from Google and Mandiant. Dell's advisory credits Peter Ukhanov from Google/Mandiant for reporting the vulnerability. The word "limited" is doing significant work in that sentence. What Mandiant found tells a different story.
The Threat Actors: UNC6201 and the Silk Typhoon Connection
Mandiant and GTIG attributed the exploitation to a threat cluster they're tracking as UNC6201. This is the first time UNC6201 has been publicly named, and Google has described it as a suspected PRC-nexus group — meaning it has assessed links to Chinese state-sponsored cyber operations. Source: Google / Mandiant GTIG, Feb 18 2026.
UNC6201 does not operate in isolation. Google's report identifies significant overlaps between UNC6201 and UNC5221, another China-linked espionage group that Mandiant currently considers one of the most prevalent Chinese threat clusters. UNC5221 is best known for exploiting zero-day vulnerabilities in Ivanti products and for deploying the BRICKSTORM backdoor across enterprise environments. Some security vendors track UNC5221 under the name Silk Typhoon, though Google does not currently consider the two clusters to be the same entity. CrowdStrike specifically tracks the BRICKSTORM-deploying cluster — the one that overlaps with UNC5221 — under the name Warp Panda, a designation confirmed in CrowdStrike's December 2025 report and the joint CISA/NSA/Canadian Centre for Cyber Security advisory on BRICKSTORM. CrowdStrike separately tracks Silk Typhoon-aligned cloud intrusion activity under the name Murky Panda — a distinct cluster with different tooling and TTPs.
The attribution ecosystem around this cluster is genuinely contested and warrants transparency. Google/Mandiant states that UNC5221 has been used synonymously with Silk Typhoon in industry reporting but does not currently consider the two clusters to be the same entity. However, the FBI's March 2025 indictment documents listed the names APT27, UNC5221, and Silk Typhoon together as names for the same individuals' activities — a government assertion that goes further than Mandiant's current analytical position. Separately, some reporting conflates Silk Typhoon with APT27, while Microsoft tracks Silk Typhoon as the actor formerly known as HAFNIUM. These overlaps reflect real analytical uncertainty across the industry, not a single clear picture. For the purposes of this article, we follow Mandiant's and GTIG's own framing: UNC6201 has overlaps with UNC5221, and UNC5221 has been conflated with Silk Typhoon by some vendors, but Mandiant does not treat these as identical clusters. Sources: Mandiant BRICKSTORM Report, Sep 2025; CrowdStrike Warp Panda, Dec 2025; CISA/NSA/Cyber Centre AR25-338A, Dec 2025.
In September 2025, Mandiant published an extensive report on UNC5221's BRICKSTORM campaigns, revealing that the group had maintained undetected access in U.S. legal services firms, SaaS providers, business process outsourcers, and technology companies for an average of 393 days. The targeting wasn't random: Mandiant confirmed that UNC5221 was actively stealing proprietary source code and other intellectual property related to enterprise technologies — material Mandiant assessed was being analyzed to identify new zero-day vulnerabilities for future exploitation. Source: Google / Mandiant BRICKSTORM Report, Sep 24 2025.
"The access obtained by UNC5221 enables them to pivot to downstream customers of compromised SaaS providers or discover zero-day vulnerabilities in enterprise technologies, which can be used for future attacks."
— Google Threat Intelligence Group, September 2025 BRICKSTORM report
Google has confirmed that UNC6201's targeting in this campaign has focused on organizations in North America. Austin Larsen, principal threat analyst at GTIG, has stated that Mandiant is currently aware of fewer than a dozen impacted organizations — though Larsen and others have cautioned that the full scale of infections remains unknown, given how effectively the group evades detection on unmonitored appliances. Source: Cybersecurity Dive, Feb 18 2026.
It's unclear whether CVE-2026-22769 itself was one of those zero-days discovered through stolen proprietary information, but the pattern fits. A group that steals enterprise technology source code and then turns up with a zero-day in enterprise technology is not a coincidence that requires a leap of imagination.
The Kill Chain: From Tomcat Admin to Root
Mandiant discovered CVE-2026-22769 while investigating compromised Dell RecoverPoint appliances in a customer environment that was already sending out C2 traffic associated with the BRICKSTORM and GRIMBOLT backdoors. The investigators traced the initial compromise chain back through the Apache Tomcat Manager interface. Source: Google / Mandiant GTIG, Feb 18 2026.
The attack chain proceeds as follows:
- Initial access: The attacker authenticates to the Dell RecoverPoint Tomcat Manager using the hardcoded admin credentials embedded in the configuration file. No brute-forcing. No credential stuffing. Just the default username and password that shipped with the product.
- Web shell deployment: The attacker uses the
/manager/text/deployendpoint to upload a malicious WAR file containing SLAYSTYLE, a web shell that provides command execution capabilities over HTTP. - Root access established: SLAYSTYLE runs with root privileges on the RecoverPoint appliance, giving the attacker full control of the underlying operating system.
- Backdoor deployment: The attacker deploys BRICKSTORM (and later GRIMBOLT) as persistent backdoors on the appliance. Persistence is achieved by modifying a legitimate shell script (
/home/kos/kbox/src/installation/distribution/convert_hosts.sh) that executes at boot viarc.local, ensuring the backdoor survives reboots. - Lateral movement: The attacker pivots from the compromised RecoverPoint appliance into the broader VMware infrastructure, targeting vCenter servers and ESXi hosts using valid credentials likely harvested from the compromised environment.
- Long-term espionage: The attacker maintains persistent access, moves into internal and SaaS infrastructure, and conducts intelligence collection operations.
The initial access vector — how the attacker first reached the RecoverPoint appliance — has not been confirmed. Mandiant notes that UNC6201, like UNC5221, is known to target edge appliances such as VPN concentrators as an entry point into victim networks. Once inside the perimeter, the RecoverPoint vulnerability provided an easy lateral pivot.
The Malware Arsenal: Slaystyle, Brickstorm, and Grimbolt
UNC6201 deployed three distinct malware families across the compromised environments, each serving a specific operational role. The following analysis draws primarily from the Mandiant/GTIG February 18, 2026 report and the September 2025 BRICKSTORM campaign report.
SLAYSTYLE (Web Shell)
SLAYSTYLE is a JSP web shell deployed via malicious WAR file to the Apache Tomcat instance on compromised RecoverPoint appliances. It accepts commands over HTTP and executes them on the underlying system with root privileges. SLAYSTYLE served as the initial foothold — the first thing deployed after authentication — and was also used to set up network redirection rules via iptables on compromised vCenter appliances.
On naming: Mandiant's designation for this web shell is SLAYSTYLE. MITRE independently named the same web shell family BEEFLUSH when it appeared in the January 2024 breach of MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE). In that incident, the UNC5221-attributed actor deployed BEEFLUSH alongside BRICKSTORM after gaining initial access via Ivanti Connect Secure zero-days (CVE-2023-46805 and CVE-2024-21887). The NERVE breach is where this particular JSP web shell first received broad public documentation, under the BEEFLUSH name. The Mandiant designation SLAYSTYLE became the more widely used label in the September 2025 and February 2026 BRICKSTORM reporting. SOC Prime and others explicitly confirm SLAYSTYLE and BEEFLUSH refer to the same web shell family. Sources: MITRE NERVE intrusion blog series, May 2024; SOC Prime BRICKSTORM analysis, Sep 2025.
BRICKSTORM (Primary Backdoor)
BRICKSTORM is a Go-based backdoor that has been a staple of UNC5221 operations since it was first publicly documented by Mandiant in April 2024, in connection with zero-day exploitation of Ivanti Connect Secure VPN appliances. However, the malware's history runs considerably deeper: in April 2025, Belgian cybersecurity firm NVISO identified Windows variants of BRICKSTORM that had been active in campaigns targeting European industries since at least 2022 — predating Mandiant's initial documentation by roughly two years. Source: NVISO BRICKSTORM analysis, Apr 15 2025.
Mandiant's Linux-focused variant and NVISO's Windows variants share the same Go-based architecture but differ in capability: the Windows versions lack shell command execution, instead relying on network tunneling and valid credentials to abuse RDP and SMB for equivalent effect. It is worth noting that Mandiant, while acknowledging the NVISO report, stated at the time that it had not independently observed BRICKSTORM Windows variants in its own investigations. The Go language provides cross-platform support, which is critical for the group's strategy of deploying on appliance platforms — Linux, BSD, and VMware systems — that do not support traditional endpoint detection and response (EDR) tools.
The Linux variant includes functionality for file system manipulation, file upload and download, shell command execution, SOCKS proxy tunneling, and C2 communication over WebSockets. BRICKSTORM also uses DNS-over-HTTPS (DoH) to resolve its C2 infrastructure, helping its traffic blend in with legitimate encrypted DNS traffic and hindering network-based monitoring.
Mandiant found BRICKSTORM deployed on the compromised RecoverPoint appliances and on VMware vCenter servers within victim environments. In one case, BRICKSTORM included a built-in delay timer with a specific date set for when it would begin communicating with C2 infrastructure — a technique that delays detection by keeping the backdoor dormant during initial deployment. Source: Mandiant BRICKSTORM Report, Sep 2025.
GRIMBOLT (Next-Generation Backdoor)
In September 2025, Mandiant observed UNC6201 replacing BRICKSTORM binaries with GRIMBOLT, a newly identified backdoor that represents an evolution in the group's tooling. GRIMBOLT is written in C# and compiled using native ahead-of-time (AOT) compilation — a technique introduced in .NET in 2022 that converts code directly to machine-native binaries during compilation rather than relying on just-in-time (JIT) compilation at runtime.
"This approach enhances the software's performance on resource-constrained appliances, ensures required libraries are already present in the file, and complicates static analysis by removing the common intermediate language (CIL) metadata typically associated with C# samples."
— Mandiant, February 18, 2026 — Source: GTIG Report
GRIMBOLT provides remote shell capabilities and uses the same C2 infrastructure as BRICKSTORM, but it's packed with UPX and is significantly harder to reverse engineer. Google told The Hacker News that GRIMBOLT incorporates features to better evade detection and minimize forensic traces, and that it excels at blending in with the system's own native files. The timing of the switchover — September 2025 — is notable because it coincides with Mandiant's public reporting on the BRICKSTORM campaigns. Whether the swap was pre-planned or a reaction to the threat group's tradecraft being exposed remains an open question; Mandiant explicitly states it cannot determine which. Source: The Hacker News, Feb 18 2026; Mandiant/GTIG, Feb 18 2026.
Ghost NICs and Single Packet Authorization: Novel TTPs
The most technically interesting aspect of this campaign isn't the vulnerability itself — it's what UNC6201 did after gaining access. Mandiant documented two novel techniques that haven't been previously reported in public threat intelligence. Source: Mandiant/GTIG, Feb 18 2026.
"Ghost NICs" — Temporary Virtual Network Interfaces
UNC6201 created temporary network interface cards (NICs) on existing virtual machines running on ESXi servers. These ephemeral network ports allowed the attacker to pivot from the compromised RecoverPoint appliance into internal and SaaS infrastructure used by the victim organizations. After completing their operations, the threat actors deleted the Ghost NICs, removing the evidence of lateral movement and making forensic investigation significantly more difficult. Mandiant CTO Charles Carmakal described this technique on LinkedIn as deploying "ghost NICs on virtual machines to evade defenders," noting it left investigators chasing network activity from IP addresses that no longer existed and were never documented. Source: CSO Online, Feb 18 2026.
This is a clever technique for virtual environments. Traditional lateral movement — RDP, SSH, SMB — leaves network logs and connection artifacts. Creating a temporary virtual NIC on a VM that already has legitimate network access lets the attacker piggyback on existing trust relationships while leaving minimal traces. When the NIC is deleted, the network path itself ceases to exist.
iptables-Based Single Packet Authorization (SPA)
On compromised vCenter appliances, UNC6201 used SLAYSTYLE to execute iptables commands that implemented a form of Single Packet Authorization. The mechanism worked in three steps:
- Monitor incoming traffic on port 443 (HTTPS) for a specific HEX string embedded in the packet.
- When a matching packet arrives, add the source IP address to an approved list.
- Silently redirect subsequent traffic from that approved IP to port 10443 for the next 300 seconds (five minutes), where the C2 handler is listening.
This is essentially a knock sequence implemented at the iptables level. The compromised vCenter continues serving legitimate HTTPS traffic on port 443. The C2 channel only opens for a five-minute window, only for a specific IP, and only after the correct authorization packet is sent. To anyone monitoring network traffic, the vCenter looks completely normal.
Why This Went Undetected for 18 Months
Mandiant CTO Charles Carmakal addressed this directly in a LinkedIn post on February 18:
"Nation-state threat actors continue targeting systems that don't commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times."
— Charles Carmakal, Mandiant CTO, LinkedIn, Feb 18 2026
This is the core of the problem. Dell RecoverPoint for Virtual Machines is an appliance. It runs a purpose-built Linux environment. There is no CrowdStrike agent on it. There is no SentinelOne sensor. There is no Microsoft Defender for Endpoint. The appliance is often deployed within a trusted internal network zone, excluded from centralized security logging, and poorly inventoried by security operations teams. It is, from a detection standpoint, a black hole.
The same is true for the VMware vCenter and ESXi hosts that UNC6201 pivoted into. These are infrastructure management planes, not general-purpose servers. They frequently lack EDR coverage, are excluded from vulnerability scanning schedules, and generate logs that feed into infrastructure monitoring tools rather than security information and event management (SIEM) platforms.
When you combine a zero-day in an unmonitored appliance with a threat actor that specifically targets unmonitored appliances, the result is exactly what Mandiant found: 18 months of persistent access with no detection.
The Bigger Picture: Appliance Blindness Is the New Normal
This Dell RecoverPoint campaign is not an isolated event. It's part of a systematic, multi-year strategy by Chinese state-linked groups to target enterprise appliances — the devices that sit inside the network perimeter but outside the security monitoring envelope.
UNC5221 (and related clusters) have exploited zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, Citrix ADC, Fortinet FortiOS, Barracuda Email Security Gateways, and now Dell RecoverPoint. The pattern is consistent: find a flaw in an appliance that organizations trust, deploy a backdoor that security tools can't see, and maintain access for months or years while harvesting intelligence.
In September 2025, Mandiant reported that the average dwell time for BRICKSTORM intrusions was 393 days, and that in many cases, the average dwell time exceeded log retention periods. The initial intrusion artifacts were simply gone by the time incident responders arrived. The September report also confirmed that UNC5221 was actively stealing proprietary source code and other intellectual property from technology companies — with Mandiant assessing that the stolen material was being used to identify new zero-days in the very appliances they target. That creates a self-reinforcing cycle: compromise a tech company, steal its product source code, find a new vulnerability in that code, and use it to compromise the next target. Source: Mandiant BRICKSTORM Report, Sep 2025.
Mandiant and GTIG's February 18 report explicitly warns that UNC6201 is likely still active in environments that have not been patched or fully remediated. Because exploitation has been occurring since mid-2024, the attackers have had ample time to establish redundant persistence mechanisms, harvest credentials, and set up alternative access paths that survive a simple patch. Additionally, Austin Larsen of GTIG has specifically warned that organizations previously targeted by BRICKSTORM should check their environments for GRIMBOLT, as the two backdoors share C2 infrastructure and the transition between them may not have been total. Source: Cybersecurity Dive, Feb 18 2026.
Remediation and Detection
If your environment ran a vulnerable version of Dell RecoverPoint for Virtual Machines at any point since mid-2024, patching removes the vulnerability but does not remove an attacker who has already established persistence. A full compromise investigation is required.
Dell has released remediation guidance through its security advisory (DSA-2026-079). The primary fix is upgrading to Dell RecoverPoint for Virtual Machines version 6.0.3.1 HF1. For environments running the older 5.3 SP4 P1 version, Dell recommends migrating to 6.0 SP3 first and then upgrading to the patched version. A remediation script is also available for environments that cannot immediately upgrade. Source: Dell DSA-2026-079.
Mandiant and GTIG have released the following detection resources, available via the February 18, 2026 GTIG blog post:
- Indicators of Compromise (IOCs) tied to the SLAYSTYLE, BRICKSTORM, and GRIMBOLT malware families, including file hashes and network indicators.
- YARA rules for detecting GRIMBOLT and SLAYSTYLE on compromised systems.
- Artifact guidance outlining specific file paths, modified shell scripts, and configuration changes that indicate RecoverPoint compromise.
- BRICKSTORM scanner tool (available on Mandiant's GitHub) — a script that can run on Unix-based appliances even without YARA installed, designed to detect the BRICKSTORM backdoor by searching for unique strings and hex patterns. This tool was first released alongside the September 2025 BRICKSTORM campaign report and remains available. Source: Mandiant BRICKSTORM Report, Sep 2025.
On December 4, 2025, CISA, the NSA, and the Canadian Centre for Cyber Security jointly released Malware Analysis Report AR25-338A — a detailed technical analysis of BRICKSTORM samples with indicators of compromise, YARA and Sigma detection rules, and recommended mitigations. The advisory was updated on December 19, 2025, January 20, 2026, and again on February 11, 2026, with additional samples including Rust-based variants. The February 11 update — released one week before this article — is the "earlier this month" revision referenced in current reporting. CISA has also added CVE-2026-22769 to its Known Exploited Vulnerabilities (KEV) catalog, which triggers mandatory remediation deadlines for all federal civilian executive branch agencies and serves as a formal signal to critical infrastructure operators that this vulnerability requires immediate action. Sources: CISA AR25-338A; NSA press release, Dec 4 2025.
Dell additionally recommends that RecoverPoint for Virtual Machines should be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation. That's always been good practice, but it's worth emphasizing: this appliance should never be directly reachable from the internet or from untrusted network segments.
Beyond patching and IOC hunting, organizations that ran vulnerable versions should:
- Conduct a full compromise assessment. Check for modified shell scripts (particularly
convert_hosts.sh), unexpected WAR files in the Tomcat deployment directory, and unusual C2 traffic patterns from the RecoverPoint appliance. - Audit VMware infrastructure. Look for evidence of Ghost NIC creation and deletion on ESXi hosts, unexpected iptables rules on vCenter appliances, and unusual network connections from infrastructure management systems.
- Rotate all credentials. If the RecoverPoint appliance had access to credentials, certificates, or tokens for other systems, treat them as compromised. This includes vCenter administrator credentials, any credentials stored on the appliance, and any service accounts used by RecoverPoint.
- Review email access. In related BRICKSTORM campaigns, Mandiant found UNC5221 targeting the email accounts of developers, system administrators, and individuals involved in matters aligned with PRC espionage priorities. Check Microsoft Entra ID audit logs for suspicious Enterprise Application access with
mail.readorfull_access_as_appscopes. Source: Mandiant BRICKSTORM Report, Sep 2025. - Check for GRIMBOLT if previously exposed to BRICKSTORM. Austin Larsen of GTIG specifically warned that organizations previously targeted by BRICKSTORM should hunt for GRIMBOLT in their environments, as the two share C2 infrastructure. Source: Cybersecurity Dive, Feb 18 2026.
- Extend monitoring. Integrate appliance logs into your SIEM. If you can't install an EDR agent, implement network-based detection for known C2 infrastructure and anomalous traffic patterns.
Key Takeaways
- Hardcoded credentials are still shipping in enterprise products. CVE-2026-22769 is a textbook CWE-798 vulnerability — a default admin password left in a production configuration file. This is a solved problem in theory. In practice, a major enterprise vendor shipped it, and a nation-state found it before internal quality assurance did.
- Appliance blindness is a systemic security gap. The devices that Chinese APT groups are targeting — VPN concentrators, backup appliances, VMware management planes — are the same devices that organizations routinely exclude from EDR coverage, vulnerability scanning, and security monitoring. If you can't see it, you can't defend it.
- Chinese cyber operations are becoming more technically sophisticated. Ghost NICs, iptables-based SPA, native AOT-compiled backdoors — these are not commodity techniques. They're tradecraft innovations designed to evade detection in environments where the attacker knows what security tools are (and aren't) deployed.
- Patching is necessary but not sufficient. After 18 months of access, UNC6201 has had time to establish deep persistence, harvest credentials, and pivot to downstream systems. A patch closes the door; it doesn't evict an attacker who's already inside.
- The feedback loop is real. Chinese APT groups steal source code from enterprise technology companies, analyze it for vulnerabilities, and then exploit those vulnerabilities against other targets. Protecting your code repositories is not just an intellectual property concern — it's a supply chain security imperative.
A developer left credentials in a configuration file. That's how this started. And 18 months later, a Chinese espionage operation was running inside enterprise backup infrastructure with root access, ghost networking, and a malware toolkit that's harder to detect than many commercial security tools. The vulnerability has been patched. The question now is how many organizations are still compromised and don't know it yet.