Mandiant and Google GTIG report zero-day exploitation of CVE-2026-22769 (CVSS 10.0) in Dell RecoverPoint by suspected PRC-nexus threat actor UNC6201 since mid-2024, enabling deployment of SLAYSTYLE, BRICKSTORM, and novel GRIMBOLT malware. The report includes technical analysis of exploitation methods, persistence mechanisms via convert_hosts.sh modification, newly observed VMware pivot tactics including Ghost NICs and iptables-based Single Packet Authorization, and comprehensive remediation guidance with IOCs and YARA rules.

Actor reported tensions in Thailand [5 sources]

Actor reported tensions [10 sources]