🇨🇳 CN4 malware familiesExploits CVEs in the wild

UNC6201

Also known asUNC6201

UNC6201 is a suspected PRC-nexus threat cluster involved in cyber espionage activity. Reporting attributes to UNC6201 exploitation of the Dell RecoverPoint for Virtual Machines zero-day CVE-2026-22769 since at least mid-2024. In these intrusions, the actor used the flaw to compromise Dell RecoverPoint appliances, move laterally, maintain persistence, and in some cases pivot into VMware virtual infrastructure. Observed malware associated with UNC6201 includes the SLAYSTYLE web shell, the BRICKSTORM backdoor, and GRIMBOLT, a novel C# backdoor compiled with native ahead-of-time compilation and packed with UPX. Mandiant observed a September 2025 shift in some cases from BRICKSTORM to GRIMBOLT, with shared command-and-control infrastructure between the two malware families. UNC6201 has also been reported compromising edge devices that do not support endpoint security products, deploying BRICKSTORM for long-term access, capturing valid credentials from compromised appliances, and using those credentials to access victims' VMware environments. Mandiant reported average dwell time of 393 days in numerous 2025 incidents involving this activity. The actor is described as targeting edge and core network devices such as VPNs and routers, which typically lack standard EDR telemetry. Tradecraft directly described in the reporting includes modifying the legitimate convert_hosts.sh script for boot persistence via rc.local on Dell RecoverPoint appliances; deploying malicious WAR files through Apache Tomcat Manager using hard-coded credentials exposed in tomcat-users.xml; creating temporary "Ghost NICs" on ESXi virtual machines for stealthy pivoting into internal and SaaS environments; and using iptables-based Single Packet Authorization on compromised vCenter appliances to conceal command-and-control access. UNC6201 has also been observed using publicly hosted Python scripts to automate premium LLM account registration, CAPTCHA bypass, SMS verification, activation, and immediate cancellation, and Google reported the cluster among PRC- and DPRK-linked groups using AI systems for vulnerability research and exploit development. Reporting notes notable overlaps between UNC6201 and UNC5221, the cluster publicly known as Silk Typhoon, but states they are not currently assessed as the same cluster.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

37 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics53 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

4 techniques

T1078×8

Valid Accounts

T1078.001×2

Default Accounts

T1133×3

External Remote Services

T1190×12

Exploit Public-Facing Application

T1566

Phishing

T1566.003

Spearphishing via Service

TA0002

Execution

2 techniques

T1059×4

Command and Scripting Interpreter

T1059.004×3

Unix Shell

T1059.008

Network Device CLI

T1610×4

Deploy Container

TA0003

Persistence

7 techniques

T1037×4

Boot or Logon Initialization Scripts

T1037.004

RC Scripts

T1078×8

Valid Accounts

T1078.001×2

Default Accounts

T1133×3

External Remote Services

T1505×2

Server Software Component

T1505.003×13

Web Shell

T1543

Create or Modify System Process

T1543.002

Systemd Service

T1546

Event Triggered Execution

T1546.004×2

Unix Shell Configuration Modification

T1547

Boot or Logon Autostart Execution

T1547.004

Winlogon Helper DLL

TA0004

Privilege Escalation

6 techniques

T1037×4

Boot or Logon Initialization Scripts

T1037.004

RC Scripts

T1068×3

Exploitation for Privilege Escalation

T1078×8

Valid Accounts

T1078.001×2

Default Accounts

T1543

Create or Modify System Process

T1543.002

Systemd Service

T1546

Event Triggered Execution

T1546.004×2

Unix Shell Configuration Modification

T1547

Boot or Logon Autostart Execution

T1547.004

Winlogon Helper DLL

TA0005

Stealth

3 techniques

T1027×2

Obfuscated Files or Information

T1070

Indicator Removal

T1078×8

Valid Accounts

T1078.001×2

Default Accounts

TA0112

Defense Impairment

1 technique

T1599

Network Boundary Bridging

TA0006

Credential Access

3 techniques

T1040

Network Sniffing

T1552

Unsecured Credentials

T1555

Credentials from Password Stores

TA0007

Discovery

1 technique

T1040

Network Sniffing

TA0008

Lateral Movement

3 techniques

T1021×2

Remote Services

T1021.001

Remote Desktop Protocol

T1210

Exploitation of Remote Services

T1570×3

Lateral Tool Transfer

TA0011

Command and Control

6 techniques

T1090×6

Proxy

T1095×2

Non-Application Layer Protocol

T1105×2

Ingress Tool Transfer

T1219×4

Remote Access Tools

T1572

Protocol Tunneling

T1665

Hide Infrastructure

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BRICKSTORMAnalysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.33Jun 14, 2026

GRIMBOLTGRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX. It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.30Jun 14, 2026

SLAYSTYLEThese requests were directed to the installed Apache Tomcat Manager, used to deploy various components of the Dell RecoverPoint software, and resulted in the deployment of a malicious WAR file containing a SLAYSTYLE web shell.20Jun 14, 2026

PLENETThe two malware families deployed to the NAS appliance over SSH are as follows - PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core... It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.1Jun 8, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2026-22769Hardcoded Tomcat Manager Credentials in Dell RecoverPoint for Virtual MachinesIn the wildEvidence28

Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0... UNC6201... has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and... GRIMBOLT.

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

hash.sha256

8 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

3 total

•••••••••••••••••••••••••••

uri

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

the hacker newsNews

Jun 8, 2026

VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances

Suspected China-nexus threat cluster linked to attacks using PLENET and exploitation of Dell RecoverPoint for Virtual Machines as a zero-day.

bleeping computerNews

Jun 5, 2026

Chinese APT deploys new malware to keep access to hacked networks

Reported by Google as deploying Brickstorm against Dell RecoverPoint for Virtual Machines.

malware newsNews

May 29, 2026

The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

PRC-linked cluster automating large-scale acquisition and churn of disposable premium AI accounts to sustain adversary LLM access.

cysecurity newsNews

May 25, 2026

Google Detects AI-Generated Zero-Day Exploit Targeting Web Admin Tool - CySecurity News - Latest Information Security and Hacking Incidents

Using AI systems for exploit development and vulnerability research.

+31 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping37

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.