A suspected Chinese state-backed hacking group has been exploiting a critical zero-day vulnerability in Dell software since mid-2024, according to new research from Mandiant and the Google Threat Intelligence Group.
The flaw, tracked as CVE-2026-22769, affects Dell RecoverPoint for Virtual Machines, a solution widely used for VMware virtual machine backup and recovery.
The vulnerability is described as a maximum-severity hardcoded credential flaw. According to Dell’s advisory, versions before 6.0.3.1 HF1 contain embedded credentials that could allow an unauthenticated remote attacker to gain unauthorized access. If exploited, attackers could achieve root-level persistence on affected systems. Dell has urged customers to upgrade or apply recommended mitigations immediately.
The threat group, tracked as UNC6201, reportedly deployed multiple malware payloads after breaching networks. Researchers identified a new backdoor named Grimbolt, written in C# and built using a newer compilation method designed to make analysis more difficult. Grimbolt appears to have replaced an earlier backdoor known as Brickstorm around September 2025, though experts are unsure whether the change was a planned upgrade or a response to security investigations.
Investigators also uncovered new techniques used to move laterally inside virtualized environments. The attackers created temporary hidden network interfaces, referred to as “Ghost NICs,” on VMware ESXi servers. This allowed them to pivot from compromised virtual machines into internal systems or SaaS environments while avoiding detection. The group has reportedly targeted appliances that often lack traditional endpoint detection and response tools, helping them remain hidden for extended periods.
Researchers noted overlaps between UNC6201 and another Chinese-linked threat cluster known as UNC5221, previously associated with zero-day exploitation campaigns and advanced malware operations. Although the two groups are not considered identical, similarities in tactics and tooling suggest possible coordination or shared resources.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security experts strongly recommend that Dell customers review the official advisory and apply patches or remediation steps to block ongoing exploitation attempts.
