SLAYSTYLE
SLAYSTYLE is a web shell observed in intrusions involving Dell RecoverPoint for Virtual Machines appliances. Mandiant and Google Threat Intelligence Group reported that suspected PRC-nexus cluster UNC6201 exploited CVE-2026-22769, a hard-coded credential vulnerability in the appliance’s Apache Tomcat Manager, to authenticate with embedded admin credentials and upload a malicious WAR file via the /manager/text/deploy endpoint. In observed cases, that WAR deployment installed the SLAYSTYLE web shell, which granted root-level command execution on the compromised appliance. The malware was used as part of post-exploitation activity for lateral movement, persistence, and follow-on malware deployment. UNC6201 was reported deploying SLAYSTYLE alongside the BRICKSTORM backdoor and the newer GRIMBOLT backdoor, and in some cases pivoting from compromised RecoverPoint appliances into VMware virtual infrastructure. High-confidence forensic artifacts mentioned in the reporting include suspicious Tomcat Manager requests such as PUT /manager/text/deploy?path=/<MAL_PATH>&update=true, hard-coded credentials stored in /home/kos/tomcat9/tomcat-users.xml or /home/kos/tomcat9/conf/tomcat-users.xml, deployed WAR artifacts under /var/lib/tomcat9 and /var/cache/tomcat9/Catalina, Tomcat logs under /var/log/tomcat9/, audit entries in /home/kos/auditlog/fapi_cl_audit_log.log, and a SLAYSTYLE-related file default_jsp.java with SHA-256 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a. Reporting also notes YARA coverage for SLAYSTYLE, including a rule named G_APT_BackdoorWebshell_SLAYSTYLE_4.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesAfter analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager
"we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager"
Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769... UNC6201... has exploited this flaw since at least mid-2024
Execution
4 techniquesAn analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell...
While analyzing compromised vCenter appliances, Mandiant recovered several commands from Systemd Journal executed by the threat actor using a deployed SLAYSTYLE web shell.
An analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell
Using these credentials, attackers could authenticate to the Tomcat Manager interface and deploy malicious WAR files via the /manager/text/deploy endpoint. In observed cases, this resulted in the installation of a SLAYSTYLE web shell.
Persistence
4 techniquesAfter analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager
"we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager"
In observed attacks, this mechanism was used to deploy the SLAYSTYLE web shell...
UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.
Privilege Escalation
3 techniques"executing commands as root"
After analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager
Stealth
2 techniquesAfter analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager
Lateral Movement
1 techniqueThe attackers have utilized this flaw to move laterally across networks, maintain persistent access, and deploy a suite of sophisticated malware...
Command and Control
2 techniquesMandiant discovered the threat actor creating new temporary network ports on existing virtual machines running on an ESXi server. Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures
suspected China-nexus threat cluster UNC6201 has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt.
Other
2 techniquesIOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A web shell deployed on compromised Dell RecoverPoint for VMs appliances by UNC6201 after exploiting CVE-2026-22769.
Malware deployed post-exploitation in Dell RecoverPoint intrusions to support persistence and follow-on activity (exact functionality not detailed in the content).
Webshell used for remote command execution and persistence within compromised environments.
Malware deployed post-exploitation by a suspected PRC-nexus cluster for lateral movement, persistence, and follow-on access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.