UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC6201 campaign has been exploiting a Dell zero-day since mid-2024, creating a sustained risk of unauthorized access and stealthy movement across victims' virtualized environments. Once inside, the operators deployed Grimbolt and earlier Brickstorm backdoors to maintain access. They also used Ghost NICs on VMware ESXi servers to pivot deeper into internal and SaaS environments. The activity is notable because it targets appliances that often lack EDR coverage and can support long-term persistence.
Cases
Related Happenings
Kyber ransomware targeting Windows and VMware ESXi
Malware Activity
First: 22.04.2026 21:52
Last: 22.04.2026 21:52
Sources 1
About this happening:
**Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Kyber ransomware targeting Windows and VMware ESXi
Malware ActivityAbout this happening: **Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
CISA KEV patch order for Dell RecoverPoint
Public Sector Action
First: 19.02.2026 17:30
Last: 19.02.2026 17:30
Sources 1
How related:
CISA has now added the security flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening:
**CISA** added **CVE-2026-22769** to the **KEV catalog** and ordered **Federal Civilian Executive Branch** agencies to secure their networks by **February 21**. The directive unde...
CISA KEV patch order for Dell RecoverPoint
Public Sector ActionHow related: CISA has now added the security flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening: **CISA** added **CVE-2026-22769** to the **KEV catalog** and ordered **Federal Civilian Executive Branch** agencies to secure their networks by **February 21**. The directive unde...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
How related:
The threat actor has also been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025.
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityHow related: The threat actor has also been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025.
About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
Poland's energy sector hit by network compromise
Incident
First: 17.02.2026 23:31
Last: 17.02.2026 23:31
Sources 1
About this happening:
A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...
Poland's energy sector hit by network compromise
IncidentAbout this happening: A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...
Electrum and Kamicite destructive OT/ICS campaign
Campaign
First: 17.02.2026 23:31
Last: 17.02.2026 23:31
Sources 1
About this happening:
A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...
Electrum and Kamicite destructive OT/ICS campaign
CampaignAbout this happening: A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...
Timeline
-
19.02.2026 17:30 1 articles · 3mo ago
CISA orders agencies to patch CVE-2026-22769
Mitigation Patch UpdateCISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.
Show sources
- CISA orders feds to patch actively exploited Dell flaw within 3 days — www.bleepingcomputer.com — 19.02.2026 17:30
-
17.02.2026 22:15 1 articles · 3mo ago
UNC6201 exploits Dell RecoverPoint zero-day
Initial DisclosureUNC6201 has been exploiting CVE-2026-22769 in Dell RecoverPoint for Virtual Machines in zero-day attacks since mid-2024, creating a path to unauthorized access and root-level persistence on vulnerable systems; after initial access, the group deployed Grimbolt and Brickstorm and used Ghost NICs on VMware ESXi servers to pivot deeper into victim networks.
Show sources
- Chinese hackers exploiting Dell zero-day flaw since mid-2024 — www.bleepingcomputer.com — 17.02.2026 22:15