GRIMBOLT C2 Infrastructure Recon: Pivoting From One IP to a Mapped Cluster

Analysing and pivoting on threat actor infrastructure is a useful technique to uncover additional indicators that could be used to detect an evasive adversary. This process can take multiple approaches. CTI analysts often develop their own methodologies and workflows with preferred datasets to perform this type of analysis.

The effectiveness of this practice also depends on what is available to the CTI analysts who do this work and it often involves combining multiple data sources together. This includes WHOIS data, Port Banners, X509 certificates, and passive DNS records, as well as internet NetFlow analysis.

This blog is a walkthrough of how it is possible to start with one IP address from a trusted source and uncover a set of potentially related infrastructure. By peering into the adversary’s other activities, it can be possible to find additional victims of the campaign or even the adversary remotely accessing their victim-facing infrastructure using Team Cymru’s external NetFlow data.

Overall, this infrastructure pivoting is a practical workflow that CTI analysts can perform to support proactive threat hunting in historical logs as well as generate detection rules to alert a security operations center (SOC) about any future connections and attempts by an adversary.

UNC6201 + GRIMBOLT: Starting From a Known-Bad IP

Infrastructure pivoting can begin with initial indicators of compromise (IOCs) that are reported by a trusted source. In this blog, the trusted source is Google, which disclosed a recent campaign about a “suspected PRC-nexus threat cluster” dubbed UNC6201 and sharing the IP address 149.248.11[.]71. Google designated this as a GRIMBOLT malware command-and-control (C2) server.

The UNC6201 campaign involved the exploitation of a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines tracked as CVE-2026-22769, as well as the deployment of a newly identified malware dubbed GRIMBOLT, written in C#. This campaign has reportedly been ongoing for nearly two years, indicating a long-term espionage operation focusing on persistent access.

Interestingly, Google observed UNC6201-linked threat actors actively replacing older BRICKSTORM binaries with GRIMBOLT. Google reported that there are notable overlaps between UNC6201 and UNC5221, which has been used synonymously with the moniker Silk Typhoon (formerly known as HAFNIUM) by Microsoft. However, Google does not currently consider the two clusters to be the same. Further, the BRICKSTORM malware operators are also tracked as WARP PANDA by CrowdStrike.

Building an IP Profile in Scout
(WHOIS, PDNS, Ports, X509)

Using a Scout summary, we can view the current attributes about the IP address. This includes WHOIS records, generated by Team Cymru’s BGP routing visibility as well as Team Cymru’s proprietary Tagging system, as shown in Figure 1 below.

Scout also has current and historical passive DNS records, which shows what domain is hosted on an IP address, the record type, as well as the first seen and last seen dates, as shown in Figure 2 below.

Analysts can use the Open Ports tab in Scout to find out what services running on the system as well as which operating system (OS) it uses, as shown in Figure 3 below.

X509 certificate information in Scout reveals interesting traits, such as the X509 Subject Common Name and X509 Issuer Common Name being a NetBIOS hostname derived from some sort of Windows template used by either a threat actor or VPS provider. This can be used to identify other systems controlled by the adversary. The X509 certificate’s Not Before and Not After dates are also very useful to understand when the system was configured by an adversary. See these details in Figure 4 below.

Using these attributes gathered above, analysts can build a profile of the IP address as shown in Table 1 below. The sections from this IP profile can then be used to generate queries in Scout to find similar infrastructure likely controlled by the adversary. The goal is to find other IP addresses that have the same unique attributes or were created the same way.

Table 1. IP Profile of a known GRIMBOLT C2 server controlled by UNC6201.
‍

In the next section, we will discuss how to pivot on these attributes and the significance of why these are useful.

Pivoting With X509 Certificate Fingerprints
(NetBIOS CN as a Marker)

When a Windows system is deployed, services like Remote Desktop Protocol (RDP) or WinRM often automatically generate self-signed certificates to establish encrypted connections. By default, Windows populates the X509 Subject Common Name (CN) and Issuer CN with the machine's assigned NetBIOS hostname.

Threat actors, especially those operating at scale or using automated deployments, frequently clone Virtual Machines (VMs) or use standard templates provided by bulletproof hosting or VPS providers. If they fail to randomize the hostname or properly sysprep the machine before deploying their c2 infrastructure software, that static NetBIOS name gets baked into the certificate on every server they spin up.

Because this NetBIOS name can be unique to that specific cloned image, it acts as a high-fidelity fingerprint. By adding that specific CN into a Scout query, you can use it to identify every other VPS the adversary deployed using that same template, mapping their broader network.

Using a Scout query such as x509.subject = "CN=WIN-DO6FVJH67FN" from the initial GRIMBOLT c2 infrastructure, it was possible to find two more IP addresses using the same X509 certificate as shown in Table 2 below.

Analysis of these IP addresses revealed that they are also located on the same VPS provider (Vultr) due to their autonomous system number (ASN) being the same in their WHOIS records. Furthermore, these two additional IP addresses both had the same 3389 (RDP) port open as well. The other main similarity was that all three had the same unique X509 certificate (SHA256 Hash: 8521f42ce73b1646ccf6d85d876e40662fd0560aeded05ce62b94e5e30233cbe), not just the same X509 Subject CN and Issuer CN. Other attributes, such as the Not Before and Not After date, were also identical.

IP Infrastructure Similarity Assessment

Team Cymru assesses with medium-to-high confidence that all three IP addresses likely belong to the same GRIMBOLT infrastructure cluster. The overlap of a cryptographically identical X509 certificate, matching autonomous system (ASN) routing, and correlated open port profiles strongly indicates the use of cloned virtual machine images or an automated provisioning script by the threat actor on a single VPS provider, Vultr.

The noticeable differences, however, were that we did not observe the sslip[.]io domain on the other two IP addresses. It is not clear if there is a reason why. This could either be a minor visibility gap in our telemetry or a deliberate operational choice by the threat actor. If a domain appears in the PDNS database like Scout, a DNS resolver used by the Team Cymru must observe some system making that query. If the adversary had not deployed malware using the sslip[.]io format for these specific additional two IPs, or if the victims are in regions not heavily monitored by Team Cymru’s DNS resolvers, the queries simply won’t be captured. Additionally, if the adversary was RDP-ing directly into the IP address, no DNS query would have been generated.

Outlook

It should be noted that the specific X509 certificate SHA256 hash and the associated NetBIOS Subject Common Name (WIN-DO6FVJH67FN) detailed in this research are the result of independent research and external telemetry pivoting by Team Cymru. These specific artifacts were not detailed in the original Google reporting regarding the UNC6201/GRIMBOLT campaigns, representing a new intelligence discovery by Team Cymru.

Although this assessment provides a link between the identified IP addresses, it is subject to the inherent limitations of external infrastructure analysis. Team Cymru’s threat infrastructure tracking relies heavily on externally observable network telemetry, such as Internet-wide scan data, open port profiles, NetFlow collection, PDNS, and cryptographic handshakes. While these artifacts allow us to profile, fingerprint, and cluster networks with a high degree of accuracy, they only represent the externally facing perimeter of the threat actor's operations.

Furthermore, while Google’s reporting established the initial timeline around the adversary shift to the GRIMBOLT malware in September 2025, our recent research utilizing Team Cymru's Scout telemetry demonstrates that the infrastructure deployment is potentially ongoing. Because the identified IP addresses share recently generated X509 certificate artifacts dating to January 2026, these specific IP addresses may not be stale indicators, but rather active infrastructure that was still under the direct control of the adversary. These servers were reported to Vultr to review and take action against.

Absolute verification of a server's internal state, active processes, and stored malware configurations requires formal Digital Forensics and Incident Response (DFIR) methodologies. Without access to volatile memory captures or bit-by-bit forensic disk images of the suspected GRIMBOLT C2 servers, Team Cymru cannot achieve the absolute ground-truth certainty that internal host-based analysis provides.

Therefore, the findings herein represent an intelligence assessment based on best-practice external network telemetry analysis, rather than a forensically proven conclusion.

General Recommended Courses of Action

• Add the known UNC6201 C2 server and the additional IP addresses to alerting lists and/or block lists.
• Retrospectively hunt for these IP addresses for any historical connections to your environment.

Recommended Courses of Action for Team Cymru Customers

• Monitor the communications of these IPs for connections to your perimeter or supply chain’s network 
• Run a scheduled Scout API query for IPs that have the unique X509 certificate
  

List of IP Addresses Mentioned Above

149.248.11[.]71

140.82.18[.]134 

66.42.111[.]219