A sophisticated Chinese state-sponsored hacking group has been exploiting a critical security flaw in Dell RecoverPoint for Virtual Machines since mid-2024, potentially compromising sensitive data across numerous organizations. The vulnerability, tracked as CVE-2026-22769, is a hardcoded credential issue that allows attackers unauthorized access to underlying operating systems and persistent control over affected systems. This ongoing campaign highlights the escalating threat posed by China-nexus actors targeting critical infrastructure and valuable intellectual property.
Security researchers at Mandiant and the Google Threat Intelligence Group (GTIG) publicly disclosed the exploitation of this zero-day vulnerability today, attributing it to a threat cluster known as UNC6201. Dell issued a security advisory on Tuesday detailing the flaw and urging customers to upgrade to version 6.0.3.1 HF1 or apply available remediations immediately. The vulnerability is considered critical due to the potential for unauthenticated remote access.
New Malware: Grimbolt
Once inside a network, UNC6201 has been deploying a range of malicious payloads, including a newly identified backdoor dubbed Grimbolt. Researchers note that Grimbolt, written in C#, is designed to evade detection through a relatively new compilation technique, making it more difficult to analyze than its predecessor, Brickstorm. The shift from Brickstorm to Grimbolt began in September 2025, though it’s currently unclear whether this was a planned upgrade or a response to ongoing security efforts.
The group is as well employing novel techniques to move laterally within compromised networks. According to Mandiant communications manager Mark Karayan, UNC6201 is utilizing “Ghost NICs”—temporary virtual network ports—to pivot from compromised virtual machines into internal or Software-as-a-Service (SaaS) environments. This technique, previously unobserved by Mandiant, allows the attackers to operate stealthily and avoid detection.
Targeting Virtualized Infrastructure
UNC6201’s focus on appliances that typically lack traditional endpoint detection and response (EDR) agents is a consistent tactic, enabling them to maintain long-term undetected access. This campaign builds on previous activity documented by GTIG, including the use of Brickstorm malware to steal data from U.S. Organizations in the legal and technology sectors. Google reported in September that UNC5221, a related threat cluster, leveraged Brickstorm for long-term persistence.
The researchers have identified overlaps between UNC6201 and UNC5221, which has been publicly associated with the Silk Typhoon group, though GTIG does not currently consider the two clusters to be identical. Both groups have demonstrated a sophisticated ability to exploit zero-day vulnerabilities, as evidenced by their targeting of Ivanti products with malware like Spawnant and Zipline, used to breach government agencies. CrowdStrike has also linked Brickstorm attacks to a Chinese hacking group known as Warp Panda.
Broader Implications and Mitigation
The exploitation of CVE-2026-22769 underscores the growing risk of supply chain attacks and the importance of proactive vulnerability management. The attackers’ ability to remain undetected for extended periods highlights the challenges organizations face in defending against advanced persistent threats. The use of Ghost NICs demonstrates a continued evolution in attacker tactics, requiring security teams to adapt their detection and response strategies.
Dell customers are strongly advised to follow the remediation steps outlined in the company’s security advisory. This includes upgrading to the latest version of RecoverPoint for Virtual Machines or implementing the recommended workarounds. Organizations should also review their network segmentation and access control policies to limit the potential impact of a successful breach.
The investigation into this campaign is ongoing, and security researchers continue to monitor UNC6201’s activity for new developments. The next key step will be assessing the full scope of compromised systems and understanding the extent of data exfiltration. Organizations are encouraged to share threat intelligence and collaborate with security vendors to enhance collective defense against these evolving threats.
If you believe your organization may have been affected by this vulnerability, please share your experiences and insights in the comments below. Your feedback can help others strengthen their security posture.
