MANDIANT and Google Threat Intelligence Group identified a critical zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines, with a CVSS score of 10.0, exploited by the UNC6201 threat cluster since mid-2024 for lateral movement and deploying malware like GRIMBOLT. GRIMBOLT replaces older BRICKSTORM binaries, using C# and AOT compilation to enhance stealth and performance.
The report details the exploitation mechanisms, including unauthorized access via Tomcat Manager due to default credentials, and new tactics like 'Ghost NICs' for network pivoting. Remediation guidance and actionable insights for incident responders are provided, alongside detection indicators for community use.