Google previously detailed UNC5221’s use of theBrickStormmalware. In a September 2025 report the company noted that the threat group may have used some of the stolen information to identify zero-day vulnerabilities in enterprise technologies. It’s unclear if CVE-2026-22769 may be one of those zero-days.In its new report, Google revealed that the newly documented group, UNC6201, had also used the BrickStorm malware, but in September 2025 it started replacing it with a new piece of malware named GrimBolt.GrimBolt is a backdoor developed in C# that is compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it more difficult to analyze. The malware provides remote shell capabilities.“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.Both GrimBolt and BrickStorm were deployed on systems running Dell RecoverPoint for Virtual Machines. The initial access method has yet to be confirmed, but one likely vector isedge appliances.Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
In its new report, Google revealed that the newly documented group, UNC6201, had also used the BrickStorm malware, but in September 2025 it started replacing it with a new piece of malware named GrimBolt.GrimBolt is a backdoor developed in C# that is compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it more difficult to analyze. The malware provides remote shell capabilities.“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.Both GrimBolt and BrickStorm were deployed on systems running Dell RecoverPoint for Virtual Machines. The initial access method has yet to be confirmed, but one likely vector isedge appliances.Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
GrimBolt is a backdoor developed in C# that is compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it more difficult to analyze. The malware provides remote shell capabilities.“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.Both GrimBolt and BrickStorm were deployed on systems running Dell RecoverPoint for Virtual Machines. The initial access method has yet to be confirmed, but one likely vector isedge appliances.Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.Both GrimBolt and BrickStorm were deployed on systems running Dell RecoverPoint for Virtual Machines. The initial access method has yet to be confirmed, but one likely vector isedge appliances.Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
Both GrimBolt and BrickStorm were deployed on systems running Dell RecoverPoint for Virtual Machines. The initial access method has yet to be confirmed, but one likely vector isedge appliances.Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
Mandiant CTO Charles Carmakal noted in aLinkedIn postthat “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
GTIG and Mandiant have made availableindicators of compromise (IoCs)to help defenders detect potential attacks.Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
Related:China Revives Tianfu Cup Hacking Contest Under Increased SecrecyRelated:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
Related:Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence GrowsRelated:Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
Source: SecurityWeek
