<div class="block-paragraph_advanced"><p>Written by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in </span><a href="https://www.dell.com/en-us/lp/dt/data-protection-suite-recoverpoint-for-virtual-machines" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Dell RecoverPoint </span><span style="text-decoration: underline; vertical-align: baseline;">for Virtual Machines</span></a><span style="vertical-align: baseline;">, tracked as CVE-2026-22769</span>, <span style="vertical-align: baseline;">with a CVSSv3.1 score of 10.0</span><span style="vertical-align: baseline;">. Analysis of incident response engagements revealed that UNC6201,</span><span style="vertical-align: baseline;"> a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM,</span><span style="vertical-align: baseline;"> and a novel backdoor tracked as GRIMBOLT.</span><span style="vertical-align: baseline;"> The initial access vector for these incidents was not confirmed, but <span style="vertical-align: baseline;">UNC6201</span></span><span style="vertical-align: baseline;"> is known to target edge appliances (such as VPN concentrators) for initial access. There are notable overlaps between <span style="vertical-align: baseline;">UNC6201</span></span><span style="vertical-align: baseline;"> and UNC5221,</span><span style="vertical-align: baseline;"> which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG do

Read Full Article at Mandiant Blog →