MalwareUsed by 4 actorsExploits 1 CVE

SLAYSTYLE

SLAYSTYLE is a web shell targeting Apache Tomcat servers, implemented as a Java Servlet Filter. In observed intrusions, it was deployed as a malicious WAR file via the Apache Tomcat Manager /manager/text/deploy endpoint after attackers authenticated with hard-coded default admin credentials on Dell RecoverPoint for Virtual Machines appliances affected by CVE-2026-22769. Multiple reports state that successful deployment of SLAYSTYLE granted root-level command execution on the compromised appliance. Mandiant and Google Threat Intelligence Group attributed this activity to UNC6201, a suspected PRC-nexus threat cluster, which has exploited the vulnerability since at least mid-2024 for lateral movement, persistence, and follow-on malware deployment. SLAYSTYLE was observed alongside BRICKSTORM and the newer GRIMBOLT backdoor, and was also used on compromised VMware vCenter appliances to execute iptables commands implementing Single Packet Authorization by monitoring port 443 for a specific hex string, temporarily allowlisting source IPs, and redirecting approved traffic to port 10443. High-confidence forensic artifacts mentioned in the reporting include suspicious requests to /manager using the username admin, WAR deployment activity such as PUT /manager/text/deploy?path=/slaystyle&update=true, Tomcat deployment artifacts under /var/lib/tomcat9 and /var/cache/tomcat9/Catalina, relevant logs under /var/log/tomcat9/ and /home/kos/auditlog/fapi_cl_audit_log.log, and a SLAYSTYLE-related file default_jsp.java with SHA-256 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a. Detection content referenced in the source material includes the YARA rule G_APT_BackdoorWebshell_SLAYSTYLE_4.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2026-22769Hardcoded Tomcat Manager Credentials in Dell RecoverPoint for Virtual MachinesExploited in the wild

These requests were directed to the installed Apache Tomcat Manager, used to deploy various components of the Dell RecoverPoint software, and resulted in the deployment of a malicious WAR file containing a SLAYSTYLE web shell.

via mandiant threat intelligencecloud.google.com

THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC6201

via mandiant threat intelligencecloud.google.com

UNC5221

SLAYSTYLE is a web shell targeting Apache Tomcat servers, implemented as a Java Servlet Filter.

via thecybersecguruthecybersecguru.com

WARP PANDA

SLAYSTYLE is a web shell targeting Apache Tomcat servers, implemented as a Java Servlet Filter.

via thecybersecguruthecybersecguru.com

VerdantBamboo

SLAYSTYLE is a web shell targeting Apache Tomcat servers, implemented as a Java Servlet Filter.

via thecybersecguruthecybersecguru.com

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1078Valid AccountsEvidence5

After analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager

T1190Exploit Public-Facing ApplicationEvidence6

Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769... UNC6201... has exploited this flaw since at least mid-2024

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence4

An analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell...

T1059.004Unix ShellEvidence3

Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the /manager/text/deploy endpoint, and then execute commands as root on the appliance.

T1059.008Network Device CLIEvidence1

An analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell

T1610Deploy ContainerEvidence3

Using these credentials, attackers could authenticate to the Tomcat Manager interface and deploy malicious WAR files via the /manager/text/deploy endpoint. In observed cases, this resulted in the installation of a SLAYSTYLE web shell.

Persistence

3 techniques

T1078Valid AccountsEvidence5

T1505Server Software ComponentEvidence3

Rather than being an uploaded PHP file or a dropped binary, a Servlet Filter is a Java class registered directly in the Tomcat application context.

T1505.003Web ShellEvidence15

These requests were directed to the installed Apache Tomcat Manager... and resulted in the deployment of a malicious WAR file containing a SLAYSTYLE web shell.

Privilege Escalation

2 techniques

T1068Exploitation for Privilege EscalationEvidence1

"executing commands as root"

T1078Valid AccountsEvidence5

Stealth

1 technique

T1078Valid AccountsEvidence5

Lateral Movement

1 technique

T1570Lateral Tool TransferEvidence2

The attackers have utilized this flaw to move laterally across networks, maintain persistent access, and deploy a suite of sophisticated malware...

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

Communicates with its C2 infrastructure over WebSockets, with some variants using DNS-over-HTTPS (DoH) to obscure C2 lookups from standard DNS monitoring

T1090ProxyEvidence3

These iptable commands were used for Single Packet Authorization... any traffic to port 443 is silently redirected to port 10443 if the IP is on the approved list

T1105Ingress Tool TransferEvidence1

suspected China-nexus threat cluster UNC6201 has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt.

Other

2 techniques

T1562Impair DefensesEvidence1

...uncovered iptable commands executed by means of the web shell to perform the following set of actions - Monitor incoming traffic on port 443 for a specific HEX string... Silently redirect subsequent traffic to port 443 to port 10443 for the next 300 seconds...

T1562.004Disable or Modify System FirewallEvidence1

"...used a deployed SLAYSTYLE web shell to execute iptables rules enabling Single Packet Authorization... monitored incoming traffic on port 443 for a specific hexadecimal string... traffic ... silently redirected to port 10443..."

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app20 days ago

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app

thecybersecguruNews

Jun 7, 2026

Chinese APT VerdantBamboo Evades M365 Security for 18 Months | The CyberSec Guru

A Java Servlet Filter-based web shell for Apache Tomcat used for credential harvesting and passive backdoor access. Its implementation as a servlet filter makes it stealthier than typical uploaded web shells because defenders must inspect Tomcat application context or configuration rather than just the web root.

recorded future blogNews

Mar 12, 2026

February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January

A web shell deployed on compromised Dell RecoverPoint for VMs appliances by UNC6201 after exploiting CVE-2026-22769.

cert eu threat intelNews

Mar 2, 2026

CERT-EU - Cyber Brief 26-03 - February 2026

Malware deployed post-exploitation in Dell RecoverPoint intrusions to support persistence and follow-on activity (exact functionality not detailed in the content).

help net securityNews

Feb 22, 2026

Week in review: Firmware-level Android backdoor found on tablets, Dell zero-day exploited since 2024 - Help Net Security

Webshell used for remote command execution and persistence within compromised environments.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.