Skip to main content
Mallory
Back to threat actors
🇨🇳 CN3 malware familiesExploits CVEs in the wild

UNC6201

Also known asUNC6201

UNC6201 is a suspected PRC-nexus threat cluster associated with cyber espionage activity. Reporting describes notable overlaps with UNC5221, the cluster publicly known as Silk Typhoon, but the content states they are not currently assessed as the same cluster. UNC6201 has been observed targeting edge and core network devices and other appliances that typically lack standard endpoint security telemetry, including VPNs, routers, Dell RecoverPoint for Virtual Machines appliances, and VMware-related infrastructure. Mandiant investigated numerous 2025 incidents in which UNC6201 compromised edge devices that did not support endpoint security products, deployed the BRICKSTORM backdoor for long-term access, captured valid credentials from the appliance, and used that access to reach victims' VMware environments. The content states these intrusions remained undetected for an average of 393 days. UNC6201 has also been linked to active exploitation of Dell RecoverPoint for Virtual Machines zero-day CVE-2026-22769 since at least mid-2024. In those incidents, the actor used hard-coded Tomcat Manager credentials to authenticate and deploy a malicious WAR file via the /manager/text/deploy endpoint, installing the SLAYSTYLE web shell and deploying BRICKSTORM and the newer GRIMBOLT backdoor. Reported objectives included lateral movement, persistent access, and compromise of VMware backup and recovery infrastructure. Additional tradecraft directly mentioned in the content includes modifying convert_hosts.sh for persistence, creating temporary "Ghost NICs" on ESXi-hosted virtual machines for stealthy pivoting, and using iptables-based Single Packet Authorization to conceal command-and-control access. The malware and tooling directly associated with UNC6201 in the content are BRICKSTORM, SLAYSTYLE, and GRIMBOLT. GRIMBOLT is described as a C# backdoor compiled with native ahead-of-time compilation, in some reporting also packed with UPX, to complicate detection and reverse engineering. Separately, Google observed UNC6201 using AI systems for vulnerability research and exploit development. The content also states UNC6201 used publicly hosted or publicly available GitHub Python scripts to automate premium LLM account registration, CAPTCHA bypass, SMS verification, account activation, and immediate cancellation to cycle free credits. Known alias in the provided content: UNC6201.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

38 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics55 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
4 techniques
T1078×10
Valid Accounts
T1078.001×2
Default Accounts
T1133×3
External Remote Services
T1190×11
Exploit Public-Facing Application
T1566
Phishing
T1566.003
Spearphishing via Service
TA0002
Execution
2 techniques
T1059×4
Command and Scripting Interpreter
T1059.004×2
Unix Shell
T1059.008
Network Device CLI
T1610×4
Deploy Container
TA0003
Persistence
7 techniques
T1037×3
Boot or Logon Initialization Scripts
T1037.004
RC Scripts
T1078×10
Valid Accounts
T1078.001×2
Default Accounts
T1133×3
External Remote Services
T1505×2
Server Software Component
T1505.003×12
Web Shell
T1543
Create or Modify System Process
T1543.002
Systemd Service
T1546
Event Triggered Execution
T1546.004×2
Unix Shell Configuration Modification
T1547
Boot or Logon Autostart Execution
T1547.004
Winlogon Helper DLL
TA0004
Privilege Escalation
6 techniques
T1037×3
Boot or Logon Initialization Scripts
T1037.004
RC Scripts
T1068×3
Exploitation for Privilege Escalation
T1078×10
Valid Accounts
T1078.001×2
Default Accounts
T1543
Create or Modify System Process
T1543.002
Systemd Service
T1546
Event Triggered Execution
T1546.004×2
Unix Shell Configuration Modification
T1547
Boot or Logon Autostart Execution
T1547.004
Winlogon Helper DLL
TA0005
Stealth
3 techniques
T1027×2
Obfuscated Files or Information
T1070
Indicator Removal
T1078×10
Valid Accounts
T1078.001×2
Default Accounts
TA0112
Defense Impairment
1 technique
T1599
Network Boundary Bridging
TA0006
Credential Access
3 techniques
T1040
Network Sniffing
T1552
Unsecured Credentials
T1555
Credentials from Password Stores
TA0007
Discovery
1 technique
T1040
Network Sniffing
TA0008
Lateral Movement
3 techniques
T1021×5
Remote Services
T1021.001
Remote Desktop Protocol
T1210
Exploitation of Remote Services
T1570×3
Lateral Tool Transfer
TA0011
Command and Control
7 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090×5
Proxy
T1095×2
Non-Application Layer Protocol
T1105×2
Ingress Tool Transfer
T1219×3
Remote Access Tools
T1572
Protocol Tunneling
T1665
Hide Infrastructure
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BRICKSTORMMandiant investigated "numerous" incidents in 2025 in which a suspected Chinese government spy crew tracked as UNC6201 broke into edge devices that didn't support endpoint security products, deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance.31May 26, 2026
GRIMBOLTA significant development in this campaign is the threat actor’s transition from the BRICKSTORM backdoor to a new malware family dubbed GRIMBOLT.29Mar 20, 2026
SLAYSTYLEUNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT.19Apr 9, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2026-22769Hardcoded Credential in Dell RecoverPoint for Virtual Machines Tomcat ManagerIn the wildEvidence26

UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT.

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
malware newsNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

PRC-linked cluster automating large-scale acquisition and churn of disposable premium AI accounts to sustain adversary LLM access.

Read more
cysecurity newsNews
May 25, 2026
Google Detects AI-Generated Zero-Day Exploit Targeting Web Admin Tool - CySecurity News - Latest Information Security and Hacking Incidents

Using AI systems for exploit development and vulnerability research.

Read more
cyber security newsNews
May 11, 2026
Google Warns of Hackers Using AI to Create Working Zero-Day Exploit

Used automation to abuse LLM platforms by registering premium accounts, bypassing CAPTCHA and SMS verification, and cycling free credits.

Read more
bleeping computerNews
May 11, 2026
Google: Hackers used AI to develop zero-day exploit for web admin tool

Using AI models for vulnerability discovery and exploit development.

Read more
+29 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping38

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.