A suspected Chinese state-backed hacking group has been exploiting a critical zero-day vulnerability in Dell software since mid-2024, according to Mandiant and the Google Threat Intelligence Group (GTIG) researchers.
The targeted flaw is CVE-2026-22769, a hardcoded credential issue in Dell RecoverPoint for Virtual Machines, a data protection solution used to back up and recover VMware virtual machines.
Dell Technologies warned in its advisory that versions of RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contain a hardcoded credential vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and establish root-level persistence. The company urged customers to upgrade or apply recommended mitigations as soon as possible.
The researchers have linked the exploitation activity to a threat cluster they track as UNC6201. Once inside victim environments, the attackers deployed multiple malware payloads, including a new C#-based backdoor dubbed ‘Grimbolt.’
Researchers say the malware implements an updated compilation technique that makes it faster and more difficult to analyze compared to its predecessor Brickstorm, a sophisticated, stealthy backdoor malware designed for long-term espionage and persistence. It targets VMware vSphere environments (vCenter/ESXi), Linux, and Windows systems, often by exploiting edge devices and network appliances.
UNC6201 was observed replacing Brickstorm with Grimbolt in September 2025, though it remains unclear whether it was a planned upgrade or a response to incident investigations.
The attackers also leveraged novel tactics to move laterally through virtualized infrastructure. According to Mandiant, UNC6201 created hidden network interfaces, so-called “Ghost NICs,” on VMware ESXi servers, allowing the group to pivot from compromised virtual machines into internal or cloud-based environments without detection.
Researchers noted operational overlaps between UNC6201 and another China-affiliated cluster UNC5221, previously linked to zero-day exploitation of Ivanti systems targeting government agencies. UNC5221 is believed to be part of the broader Chinese threat ecosystem, including activity associated with the Silk Typhoon espionage group, though analysts indicates the clusters are not identical.
GTIG reported in September that UNC5221 operators used Brickstorm to maintain long-term persistence in multiple US organizations across the legal and technology sectors. Separately, cybersecurity firm CrowdStrike has attributed Brickstorm intrusions targeting VMware vCenter servers in US legal, technology, and manufacturing firms to a China-based group it tracks as Warp Panda. Last week, cybersecurity agencies from the US and Canada released an updated version of the Malware Analysis Report containing analysis, IOCs, and detection signatures from a new variant of Brickstorm.