Blog Details

A suspected Chinese mutter-backed hacking crew has been quietly exploiting a crucial Dell security flaw in zero-day assaults that started in mid-2024.

Security researchers from Mandiant and the Google Threat Intelligence Crew (GTIG) printed on the present time that the UNC6201 crew exploited a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769) in Dell RecoverPoint for Digital Machines, an answer ancient for VMware digital machine backup and restoration.

“Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability,” Dell explains in a security advisory printed on Tuesday.

“This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.”

As soon as within a victim’s network, UNC6201 deployed quite loads of malware payloads, along with newly acknowledged backdoor malware known as Grimbolt. Written in C# and constructed the utilization of a relatively new compilation map, this malware is designed to be faster and more difficult to analyze than its predecessor, a backdoor known as Brickstorm.

While the researchers possess noticed the crew swapping out Brickstorm for Grimbolt in September 2025, it remains unclear whether or no longer the change used to be a deliberate upgrade or “a reaction to incident response efforts led by Mandiant and other industry partners.”

OSINT Focusing on VMware ESXi servers

The attackers additionally ancient new suggestions to burrow deeper into victims’ virtualized infrastructure, along with increasing hidden network interfaces (so-known as Ghost NICs) on VMware ESXi servers to scoot stealthily across victims’ networks.

“UNC6201 uses temporary virtual network ports (AKA “Ghost NICs”) to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations,” Mandiant communications supervisor Mark Karayan told BleepingComputer.

“Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods.”

The researchers possess discovered overlaps between UNC6201 and a separate Chinese possibility cluster, UNC5221, identified for exploiting Ivanti zero-days to target authorities companies with personalized Spawnant and Zipline malware and beforehand linked to the infamous Silk Storm Chinese mutter-backed possibility crew (although the 2 are no longer regarded as because the same by GTIG).

GTIG added in September that UNC5221 hackers ancient Brickstorm (first documented by Google subsidiary Mandiant in April 2024) to develop long-duration of time persistence on the networks of a pair of U.S. organizations within the approved and technology sectors, whereas CrowdStrike has linked Brickstorm malware assaults focusing on VMware vCenter servers of approved, technology, and manufacturing firms within the United States to a Chinese hacking crew it tracks as Warp Panda.

To dam ongoing CVE-2026-22769 assaults, Dell customers are suggested to take a look on the remediation steering shared in this security advisory.