From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

    Wednesday, February 18, 2026 In: Threat Research Print

    Date: 02/18/2026

    Severity: High

    Summary

    During analysis of compromised Dell RecoverPoint for Virtual Machines systems, Identified BRICKSTORM binaries later replaced by GRIMBOLT in September 2025. GRIMBOLT is a C# foothold backdoor built with Native AOT compilation and packed using UPX. It enables remote shell access and leverages the same command-and-control infrastructure as BRICKSTORM. It remains unclear whether the swap was a planned evolution by UNC6201 or a response to incident response actions. Native AOT, introduced to .NET in 2022, compiles directly to machine code, improving performance, embedding required libraries, and hindering static analysis by removing CIL metadata. UNC6201 maintained persistence by altering the legitimate convert_hosts.sh script, which executes at boot via rc.local, to launch the backdoor.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    wss://149.248.11.71/rest/apisession

    IP Address : 

    149.248.11.71

    Hash : 

    24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c

    dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591

    92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a

    aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878

    2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df

    320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759

    90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035

    45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "wss://149.248.11.71/rest/apisession" or url like "wss://149.248.11.71/rest/apisession" or siteurl like "wss://149.248.11.71/rest/apisession"

    Detection Query 2 :

    dstipaddress IN ("149.248.11.71") or srcipaddress IN ("149.248.11.71")

    Detection Query 3 :

    sha256hash IN ("320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759","2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df","90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035","aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878","92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a","24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c","dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591","45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830")

    Reference: 

    https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day


    Tags

    MalwareBRICKSTORMBackdoorZero-day

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.