Grimbolt Zero-Day Hits Dell Backups: Hackers Just Unlocked Your Disaster Recovery Nightmare
Mandiant just dropped a bombshell: threat actors from UNC6201 are actively exploiting a zero-day in Dell RecoverPoint for Virtual Machines, dubbed Grimbolt malware, to burrow deep into backup systems. This isn’t some theoretical risk—it’s live attacks using hard-coded credentials for unauthenticated access and persistent backdoors, evolving from the infamous Brickstorm campaign.
Here’s the gritty details: the vuln is CVE-2026-22769, found in Dell’s RecoverPoint for VMs. Mandiant spotted it during investigations of victim environments with active C2 tied to Brickstorm and Grimbolt. Attackers are pivoting via new temp network ports on ESXi servers, hitting internal networks and even SaaS apps. CISA updated its Brickstorm report last week with fresh YARA rules for a .NET Native variant that’s stealthier than ever. Google Threat Intelligence backs this, linking it to defense sector hits amid global tensions.
For developers, this screams check your backups now. If you’re on Dell RecoverPoint or VMware infra, hard-coded creds are a ticking bomb—assume compromise. It means attackers can wipe or encrypt your disaster recovery, turning “restore from backup” into a joke during ransomware hell. Pivot tactics show they’re not stopping at one box; your whole stack’s exposed if backups are the weak link.
Patch fast, ditch hard-cods, and audit those VM ports. This zero-day proves backups aren’t sacred—treat ’em like front-line battlegrounds or watch your DR go poof.
