GRIMBOLT
GRIMBOLT is a foothold/persistent backdoor written in C# that emerged as a newer successor or replacement for BRICKSTORM in UNC6201 intrusions. Multiple sources in the content state that investigators observed older BRICKSTORM binaries being replaced with GRIMBOLT in September 2025. It is compiled using native Ahead-of-Time (AOT) compilation and packed with UPX, which removes typical .NET/Common Intermediate Language metadata and makes static analysis and reverse engineering more difficult. Reported capabilities include remote shell access, remote command execution, long-term persistence, and command-and-control communications over WebSocket connections. The malware is also described as using the same command-and-control infrastructure as previously deployed BRICKSTORM payloads; a reported C2 endpoint is wss://149.248.11.71/rest/apisession, with 149.248.11.71 cited as a related IP.
GRIMBOLT is associated in the content with UNC6201, a suspected PRC/China-nexus threat cluster. The malware was deployed alongside SLAYSTYLE and BRICKSTORM during exploitation of Dell RecoverPoint for Virtual Machines zero-day CVE-2026-22769, a hard-coded credential vulnerability in Apache Tomcat Manager that enabled attackers to authenticate, upload malicious WAR files, execute commands as root, and establish persistence. The campaign targeted Dell RecoverPoint for Virtual Machines appliances and, through subsequent pivoting, VMware virtual infrastructure and backup/recovery environments. The content states UNC6201 used the access for lateral movement, persistence, and long-term access, and in some cases directly compromised VMware backup and recovery infrastructure to weaken restoration capability. Persistence related to the broader intrusion included modification of the legitimate convert_hosts.sh script so malware execution occurred at boot via rc.local.
Additional tradecraft observed in the same campaign included use of temporary "Ghost NICs" on ESXi virtual machines for stealthy pivoting into internal and SaaS environments, and iptables-based Single Packet Authorization on compromised vCenter appliances. High-confidence indicators directly mentioned in the content for GRIMBOLT include the WebSocket C2 endpoint wss://149.248.11.71/rest/apisession, IP 149.248.11.71, and sample hashes including 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c and dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
GRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX. It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX. It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.
By September, however, the attackers had replaced Brickstorm with Grimbolt, a more advanced malware that’s harder to detect... replacing older Brickstorm binaries with the new backdoor that’s more difficult to reverse engineer.
"Carmakal said they observed the hackers using a novel backdoor they named GRIMBOLT."
By September, however, the attackers had replaced Brickstorm with Grimbolt, a more advanced malware that’s harder to detect... replacing older Brickstorm binaries with the new backdoor that’s more difficult to reverse engineer.
GTIG said the bug, tracked as CVE-2026-22769, was used to deploy a newer version of the Brickstorm backdoor malware that GTIG now calls Grimbolt and uses “ghost NICs” on virtual machines to avoid defenders.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control
Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769... UNC6201... has exploited this flaw since at least mid-2024
Execution
2 techniques
Execution
Persistence
8 techniques
Persistence
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local .
An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control
the bug, tracked as CVE-2026-22769, was used to deploy a newer version of the Brickstorm backdoor malware that GTIG now calls Grimbolt
UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.
execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.
Privilege Escalation
6 techniques
Privilege Escalation
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local .
An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control
execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.
Stealth
3 techniques
Stealth
GRIMBOLT is written in C# and compiled using Native Ahead-of-Time (AOT) compilation... removing Common Intermediate Language (CIL) metadata that security tools typically scan. The malware is further packed with UPX to complicate static analysis.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Lateral Movement
4 techniques
Lateral Movement
these two additional IP addresses both had the same 3389 (RDP) port open as well
Command and Control
7 techniques
Command and Control
"they noticed the systems were communicating with hacker-controlled command and control servers associated with BRICKSTORM and GRIMBOLT backdoors"
"GRIMBOLT established WebSocket-based C2 communications: 149.248.11.71 wss://149.248.11.71/rest/apisession"
The attackers employ a stealthy traffic management technique known as Single Packet Authorization (SPA) using iptables... When this magic packet is detected, the source IP address is added to an allowlist.
deploy additional malware to a Synology Network Attached Storage (NAS) appliance
GRIMBOLT... provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A C#-based backdoor with native AOT compilation used by UNC6201 to complicate detection on compromised Dell RecoverPoint for VMs appliances.
VMware 백업·복구 인프라 침해 후 배포된 백도어로, 복구 체계 무력화와 지속적 접근에 사용된다.
Backdoor deployed against VMware backup and recovery infrastructure to neutralize recovery systems after exploitation of Dell RecoverPoint for Virtual Machines.
Novel backdoor used in Dell RecoverPoint intrusions to maintain persistent access (further capabilities not described in the content).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.