What is CVE-2026-22769?

Zero-day in Dell RecoverPoint for VMs. CVSS 10.0. Allows root via Tomcat Manager creds. Exploited mid-2024.

How does GRIMBOLT differ from BRICKSTORM?

GRIMBOLT's C# AOT-compiled, UPX-packed. Faster, stealthier on appliances. Same C2, remote shell. Persistence via boot scripts.

Patched, yes. But check configs – no defaults. Monitor for ghosts. VMware pivots still a risk.

🌐 Nation-State Threats

Thought BRICKSTORM was the worst? UNC6201 just leveled up to GRIMBOLT on Dell's RecoverPoint zero-day. Your virtual machines are in the crosshairs.

theAIcatchup Apr 08, 2026 3 min read

UNC6201 exploited Dell RecoverPoint zero-day CVE-2026-22769 since mid-2024 for lateral movement and persistence. 𝕏
Swapped BRICKSTORM for evasive GRIMBOLT malware, using native AOT compilation to thwart analysis. 𝕏
New TTPs include Ghost NICs and iptables SPA for VMware pivoting, signaling deeper virtual infra threats. 𝕏

Published by

Threat intelligence. Zero noise.

#CVE-2026-22769 #Dell RecoverPoint #GRIMBOLT #UNC6201

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Mandiant Blog