Dell Zero-Day Flaw Exploited by Chinese Hackers Since Mid-2024
Suspected Chinese State-Sponsored Hacking Group Exploits Zero-Day Vulnerability in Dell’s RecoverPoint
A suspected Chinese state-sponsored hacking group, known as UNC6201, has been exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines solution since mid-2024.
Vulnerability Details
The vulnerability, tracked as CVE-2026-22769, is a hardcoded credential flaw that allows an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and achieve root-level persistence.
Malware Deployment and Lateral Movement
Once inside a victim’s network, UNC6201 has been deploying multiple malware payloads, including a newly identified backdoor called Grimbolt. This malware is written in C# and uses a relatively new compilation technique, making it faster and harder to analyze than its predecessor, Brickstorm.
While the researchers have observed the group replacing Brickstorm with Grimbolt in September 2025, it is unclear whether this was a planned upgrade or a response to incident response efforts.
The attackers have also been using novel techniques to move stealthily across victims’ networks, including creating hidden network interfaces, known as Ghost NICs, on VMware ESXi servers. This allows them to pivot from compromised virtual machines into internal or SaaS environments, a technique that has not been observed before in Mandiant’s investigations.
Connections to Other Threat Groups
The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, which has been linked to the notorious Silk Typhoon Chinese state-backed threat group. UNC5221 has been known to exploit Ivanti zero-days to target government agencies with custom malware.
Remediation and Prevention
To block ongoing CVE-2026-22769 attacks, Dell customers are advised to follow the remediation guidance shared in the security advisory. This includes upgrading to a patched version of RecoverPoint for Virtual Machines or applying one of the recommended workarounds.
The exploitation of this zero-day vulnerability highlights the importance of keeping software up to date and applying security patches in a timely manner. It also underscores the need for organizations to have robust incident response plans in place to quickly detect and respond to potential security threats.
About Author
English