Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First reported
Last updated
Happening score
H score 44
1 unique sources, 2 articles

Summary

Hide ▲

The UNC6201 campaign has been exploiting a Dell zero-day since mid-2024, creating a sustained risk of unauthorized access and stealthy movement across victims' virtualized environments. Once inside, the operators deployed Grimbolt and earlier Brickstorm backdoors to maintain access. They also used Ghost NICs on VMware ESXi servers to pivot deeper into internal and SaaS environments. The activity is notable because it targets appliances that often lack EDR coverage and can support long-term persistence.

Cases

Related Happenings

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
H score23 First: 25.06.2026 14:00 Last: 25.06.2026 14:00 Sources 1

About this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...

UniFi OS Server unauthenticated root RCE chain (multiple vulnerabilities)

Vulnerability
H score25 First: 08.06.2026 18:51 Last: 08.06.2026 18:51 Sources 1

About this happening: **UniFi OS Server** is exposed to an **unauthenticated root RCE chain** that combines **CVE-2026-34908**, **CVE-2026-34909**, and **CVE-2026-34910**, putting **versions 5.0.6 and...

Latest development: 24.06.2026 15:32

CISA added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to the Known Exploited Vulnerabilities (KEV) catalog after warnings that threat actors were targeting UniFi OS Server devices and multiple users reported in-the-wild exploitation that created rogue administrator accounts named 'John Sim' on affected Ubiquiti systems.

BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

Malware Activity
H score40 First: 08.06.2026 13:27 Last: 08.06.2026 13:27 Sources 1

About this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Timeline

  1. 19.02.2026 17:30 1 articles · 4mo ago

    CISA orders agencies to patch CVE-2026-22769

    Mitigation Patch Update

    CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

    Show sources
  2. 17.02.2026 22:15 1 articles · 4mo ago

    UNC6201 exploits Dell RecoverPoint zero-day

    Initial Disclosure

    UNC6201 has been exploiting CVE-2026-22769 in Dell RecoverPoint for Virtual Machines in zero-day attacks since mid-2024, creating a path to unauthorized access and root-level persistence on vulnerable systems; after initial access, the group deployed Grimbolt and Brickstorm and used Ghost NICs on VMware ESXi servers to pivot deeper into victim networks.

    Show sources