Widely attributedUnknownUNC6201
China-nexus threat actor tracked by Mandiant, known for exploiting zero-day vulnerabilities and deploying the BRICKSTORM backdoor against technology, legal services, and SaaS providers.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
5 mentions · 2 sources"Threat clusters like UNC6201 and UNC5807 deliberately target edge and core network devices"
"our analysis of UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day"
"UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection."
"UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT."
"There are notable overlaps between UNC6201 and UNC5221, which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider the two clusters to be the same."
Hedge terms observed