The Reveal Platform
Intel Name: From brickstorm to grimbolt: unc6201 exploiting a dell recoverpoint for virtual machines zero-day
Date of Scan: February 18, 2026
Impact: High
Summary: The digital landscape in 2026 is constantly shifting. A massive gap now exists between when hackers strike and when the public finds out. The UNC6201 Dell RecoverPoint zero-day highlights this growing risk and the urgent need for stronger zero-day threat protection. For nearly two years, this threat group operated in the shadows. The UNC6201 Dell RecoverPoint zero-day allowed attackers to exploit high-value virtual systems. For business leaders, this is more than a technical issue. It shows how attackers now target the very systems designed to protect backups and disaster recovery environments.
UNC6201 is a highly skilled threat cluster tracked by security researchers, with moderate confidence assessments suggesting possible state backing. This group shows a level of patience that should worry every CISO. Their main goal is long-term spying and steady network access. They do not want a quick payday through a ransom. Instead, they target the edge of your network and recovery tools. This lets them skip past standard security tools. Most tools focus on user laptops or normal servers. This leaves a gap for hackers to hide.
The group plays a very long game. In observed cases, the group maintained access for extended periods, in some instances exceeding several months before detection. They do this without settting off any alarms. Their plan involves using hidden backdoors. These backdoors live on special hardware where normal security software cannot run. This “blind spot” strategy is very effective. It lets hackers watch internal chats. They can move through the data center freely. Then, they can steal data whenever they want.
When a hacker hits a platform like Dell RecoverPoint, they do more than hit one server. They take over the safety net of the entire company. These systems manage backups. They help recover the whole VMware environment after a crash. If a hacker gets full “root” access here, the results are terrible. They can steal your best ideas or stop your business entirely.
A hacker with this access can change your backup data. This means any fix you try might just put the hacker back in control. These tools have a lot of trust in the network. They need this trust to do their jobs. Because of this, they are perfect for moving deeper into your files. These attacks blind the company during a crisis. As a result, a small problem can become a total disaster for the business.
How did UNC6201 win? Think of a master key hidden under a mat. Only the repair crew knows it is there. The flaw, tracked as CVE-2026-22769 and documented in vendor security advisories, involved a hardcoded administrative credential embedded in the software. This was a built-in “master key” in the software. The hackers found it and used it to walk right in. At the time of reporting, exploitation activity was confirmed by incident investigations rather than public proof-of-concept releases.
After they got in, they moved from the BRICKSTORM tool to a new malware called GRIMBOLT. This was a big jump in skill. BRICKSTORM gave them a start. However, GRIMBOLT is built to hide. It is written in a way that makes it very hard for security tools to read. The hackers stayed inside by changing small system scripts. Every time the machine starts, the backdoor turns on again. This method uses the trust we have in our tools. It turns our own defenses against us.
Old security tools look for “signatures” or known bad files. These tools often fail against zero-day attacks and custom tools like GRIMBOLT. Gurucul takes a different path. We do not just look at what a file is. Instead, we look at what the system is doing. Our plan uses identity-centric analytics. This means we watch the heart of your virtual world for odd behavior.
The Gurucul platform uses machine learning. It learns what normal work looks like on your recovery tools. When UNC6201 tries to use a secret password, Gurucul sees it as a major risk. We do not wait for a match in a database. Instead, our engine finds the unauthorized change in power. We also see the odd network signals that backdoors send out.
Gurucul helps you see deep into your VMware and recovery tools. Our Next-Gen SIEM and UEBA tools work together. They help your team in several ways:
Gurucul focuses on how your gear acts. This significantly increases the likelihood of detecting misuse, even when attackers leverage valid credentials. If they act odd inside your “house,” we will see them and act fast.
For more technical details and a full list of signs to look for, visit the Gurucul Community threat research repository.
