Suspected Chinese State-Backed Hackers Exploit Critical Dell Security Flaw

A critical Dell security flaw has been quietly exploited by a suspected Chinese state-backed hacking group in zero-day attacks that began in mid-2024.

Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) disclosed that the UNC6201 group took advantage of a maximum-severity hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines, a solution utilized for VMware virtual machine backup and recovery.

Dell acknowledged the vulnerability in a security advisory released on Tuesday, stating that versions of Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contain a hardcoded credential vulnerability.

The security advisory emphasized the critical nature of the vulnerability, warning that an unauthenticated remote attacker with knowledge of the hardcoded credential could exploit it to gain unauthorized access to the underlying operating system and establish root-level persistence. Dell urged customers to promptly upgrade or apply remediations.

Upon infiltrating a victim’s network, UNC6201 deployed various malware payloads, including a newly identified backdoor malware named Grimbolt. This malware, developed in C# using a new compilation technique, is designed to be faster and more challenging to analyze than its predecessor, Brickstorm.

Although UNC6201 replaced Brickstorm with Grimbolt in September 2025, it remains uncertain whether the switch was a planned upgrade or a response to incident response efforts by Mandiant and industry partners.

Targeting VMware ESXi Servers

The attackers employed innovative methods to penetrate victims’ virtualized infrastructure, such as creating hidden network interfaces (Ghost NICs) on VMware ESXi servers to maneuver stealthily across networks.

Mandiant communications manager Mark Karayan highlighted UNC6201’s use of temporary virtual network ports (Ghost NICs) to pivot from compromised VMs into internal or SaaS environments, a novel technique observed for the first time in their investigations.

UNC6201 continues to target appliances lacking traditional endpoint detection and response (EDR) agents to evade detection for extended periods, consistent with its previous BRICKSTORM campaign.

There are overlaps between UNC6201 and another Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware. UNC5221 was previously associated with the Silk Typhoon Chinese state-backed threat group.

GTIG reported that UNC5221 hackers utilized Brickstorm to establish long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors. CrowdStrike linked Brickstorm attacks targeting VMware vCenter servers to a Chinese hacking group known as Warp Panda.

To defend against ongoing CVE-2026-22769 attacks, Dell customers are advised to follow the remediation guidance provided in the security advisory.

Modern IT infrastructure outpaces manual workflows. Learn how to reduce delays, improve reliability, and scale intelligent workflows with tools you already use in the new Tines guide.

Get the guide