UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC6201 campaign has been exploiting a Dell zero-day since mid-2024, creating a sustained risk of unauthorized access and stealthy movement across victims' virtualized environments. Once inside, the operators deployed Grimbolt and earlier Brickstorm backdoors to maintain access. They also used Ghost NICs on VMware ESXi servers to pivot deeper into internal and SaaS environments. The activity is notable because it targets appliances that often lack EDR coverage and can support long-term persistence.
Cases
Related Happenings
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
Vulnerability
H score23
First: 25.06.2026 14:00
Last: 25.06.2026 14:00
Sources 1
About this happening:
**macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
UniFi OS Server unauthenticated root RCE chain (multiple vulnerabilities)
Vulnerability
H score25
First: 08.06.2026 18:51
Last: 08.06.2026 18:51
Sources 1
About this happening:
**UniFi OS Server** is exposed to an **unauthenticated root RCE chain** that combines **CVE-2026-34908**, **CVE-2026-34909**, and **CVE-2026-34910**, putting **versions 5.0.6 and...
UniFi OS Server unauthenticated root RCE chain (multiple vulnerabilities)
VulnerabilityAbout this happening: **UniFi OS Server** is exposed to an **unauthenticated root RCE chain** that combines **CVE-2026-34908**, **CVE-2026-34909**, and **CVE-2026-34910**, putting **versions 5.0.6 and...
Latest development: 24.06.2026 15:32
CISA added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to the Known Exploited Vulnerabilities (KEV) catalog after warnings that threat actors were targeting UniFi OS Server devices and multiple users reported in-the-wild exploitation that created rogue administrator accounts named 'John Sim' on affected Ubiquiti systems.
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware Activity
H score40
First: 08.06.2026 13:27
Last: 08.06.2026 13:27
Sources 1
About this happening:
The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware ActivityAbout this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
H score16
First: 05.06.2026 21:09
Last: 05.06.2026 21:09
Sources 1
About this happening:
The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware ActivityAbout this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
Timeline
-
19.02.2026 17:30 1 articles · 4mo ago
CISA orders agencies to patch CVE-2026-22769
Mitigation Patch UpdateCISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.
Show sources
- CISA orders feds to patch actively exploited Dell flaw within 3 days — www.bleepingcomputer.com — 19.02.2026 17:30
-
17.02.2026 22:15 1 articles · 4mo ago
UNC6201 exploits Dell RecoverPoint zero-day
Initial DisclosureUNC6201 has been exploiting CVE-2026-22769 in Dell RecoverPoint for Virtual Machines in zero-day attacks since mid-2024, creating a path to unauthorized access and root-level persistence on vulnerable systems; after initial access, the group deployed Grimbolt and Brickstorm and used Ghost NICs on VMware ESXi servers to pivot deeper into victim networks.
Show sources
- Chinese hackers exploiting Dell zero-day flaw since mid-2024 — www.bleepingcomputer.com — 17.02.2026 22:15