A suspected Chinese state-backed hacking group has been quietly exploiting a critical software flaw in Dell Technologies software since mid-2024, according to new research from cybersecurity firms Mandiant and the Google Threat Intelligence Group (GTIG).
The threat cluster known as UNC6201 has been abusing a maximum-severity vulnerability in Dell RecoverPoint for Virtual Machines, a widely used data protection tool to back up and recover VMware virtual machines.
A 10/10 Severity Flaw
The vulnerability, tracked as CVE-2026-22769, carries a perfect 10.0 CVSS score – the highest possible rating. It stems from hardcoded administrator credentials embedded in affected versions of the software.
This means attackers who knew the built-in password could remotely log in to access the system without authentication. Once inside, they establish root-level persistence, giving them near-total control over compromised servers
Dell confirmed that versions before 6.0.3.1 HF1 are affected and has urged customers to immediately upgrade or apply the mitigation steps outlined in its advisory.
New Backdoor: Grimbolt
Once inside victim networks, UNC6201 deployed multiple malware tools to maintain access and move laterally. Researchers identified a new backdoor called Grimbolt, written in C# and compiled using a technique known as Native Ahead-of-Time (AOT).
Unlike traditional .NET malware, Grimbolt converts the code directly into machine language, making the malware faster and harder for analysts and security tools to examine.
Grimbolt appears to have replaced an earlier backdoor known as Brickstorm around September 2025, though researchers are unsure whether the change was a planned upgrade or a response to growing scrutiny from investigators.
Advanced VMware Targeting Techniques
The attackers focused heavily on VMware virtualized environments. They used a novel technique involving temporary hidden network interfaces — dubbed “Ghost NICs” — on ESXi servers to move across virtual environments undetected.
“UNC6201 uses temporary virtual network ports (AKA “Ghost NICs”) to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations,” Mandiant communications manager Mark Karayan said in a statement.
These hidden network ports allowed the hackers to quietly pivot from compromised virtual machines into internal systems or cloud-based environments without triggering standard monitoring tools.
Researchers say the group deliberately targets edge appliances and systems that often lack endpoint detection and response (EDR) software, allowing them to remain undetected for extended periods — sometimes for more than a year.
Links To Broader Chinese Cyber Campaigns
Investigators noted overlaps between UNC6201 and another China-linked threat cluster known as UNC5221, previously associated with advanced zero-day exploitation campaigns targeting government and enterprise networks.
UNC5221 has been publicly linked to the broader Chinese espionage operation known as Silk Typhoon. While analysts say the two clusters are not identical, similarities in tactics and tooling suggest potential coordination or shared resources.
Security researchers also say previous Brickstorm attacks were tied to legal, technology, and manufacturing organizations in the United States.
Ongoing Risk
Experts warn that the full scope of the campaign may still be unknown. Since exploitation began in mid-2024, they warn that some organizations may still be unaware they were compromised.
Dell has released patches and remediation scripts to address the vulnerability. Experts strongly recommend that organizations and customers review the advisory, apply updates immediately, and conduct thorough threat-hunting investigations — especially if they run VMware-based infrastructure.
The campaign highlights a growing challenge in cybersecurity: sophisticated state-backed actors are increasingly capable of exploiting zero-day vulnerabilities and remaining hidden inside networks for months — or even years before being detected.
