A suspected Chinese state-sponsored hacking group has been actively exploiting a critical Dell vulnerability since mid-2024 in a series of undetected zero-day attacks. The threat actor, tracked as UNC6201, leveraged a hardcoded credential flaw designated CVE-2026-22769 affecting Dell RecoverPoint for Virtual Machines, a backup and recovery solution for VMware environments. This maximum-severity vulnerability allows unauthenticated remote attackers with knowledge of the embedded credentials to gain root-level access to the underlying operating system.
Once inside compromised networks, the attackers deployed a new C#-based backdoor called Grimbolt, designed for faster execution and greater resistance to analysis compared to its predecessor Brickstorm. The group switched from Brickstorm to Grimbolt in September 2025, though researchers remain uncertain whether this represented a planned upgrade or a response to detection efforts. The attackers also employed novel stealth techniques, including creating hidden virtual network interfaces on VMware ESXi servers to move laterally across victim environments without detection.
These "Ghost NICs" allowed the group to pivot from compromised virtual machines into internal networks and cloud-based services, a tactic previously undocumented in Mandiant investigations. UNC6201 deliberately targeted systems lacking traditional endpoint detection and response agents, enabling prolonged undetected access. The group shares infrastructure and tooling overlaps with UNC5221, another Chinese threat cluster linked to Silk Typhoon and known for exploiting Ivanti vulnerabilities against government agencies.
Dell has released remediation guidance urging customers to upgrade to version 6.0.3.1 HF1 or apply available patches immediately. The attacks primarily targeted VMware ESXi servers belonging to organizations in the legal, technology, and manufacturing sectors across the United States.
Read more...