A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024.
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) revealed today that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
"Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability," Dell explains in a security advisory published on Tuesday.
"This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible."
Once inside a victim's network, UNC6201 deployed several malware payloads, including newly identified backdoor malware called Grimbolt. Written in C# and built using a relatively new compilation technique, this malware is designed to be faster and harder to analyze than its predecessor, a backdoor called Brickstorm.
While the researchers have observed the group swapping out Brickstorm for Grimbolt in September 2025, it remains unclear whether the switch was a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners."
Targeting VMware ESXi servers
The attackers also used novel techniques to burrow deeper into victims' virtualized infrastructure, including creating hidden network interfaces (so-called Ghost NICs) on VMware ESXi servers to move stealthily across victims' networks.
"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant communications manager Mark Karayan told BleepingComputer.
"Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods."
... continue reading