Ethical Hacking News
A new threat campaign has been uncovered by Mandiant and the Google Threat Intelligence Group (GTIG), highlighting a critical vulnerability in Dell RecoverPoint for Virtual Machines that is being exploited by a suspected Chinese state-backed hacking group known as UNC6201. This campaign began in mid-2024, with the group using a maximum-severity hardcoded-credential vulnerability to gain unauthorized access to victim networks. The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to target government agencies with custom malware. To block ongoing attacks, Dell customers are advised to follow the remediation guidance shared in this security advisory.
Dell RecoverPoint for Virtual Machines has a critical hardcoded-credential vulnerability (CVE-2026-22769) that can be exploited by unauthenticated remote attackers.Versions prior to 6.0.3.1 HF1 of Dell RecoverPoint contain this vulnerability, allowing unauthorized access to the underlying operating system and root-level persistence.A suspected Chinese state-backed hacking group known as UNC6201 is using novel techniques to burrow deeper into victims' virtualized infrastructure, including creating hidden network interfaces (Ghost NICs).The attackers have deployed malware payloads, including a newly identified backdoor malware called Grimbolt, which is designed to be faster and harder to analyze than its predecessor, Brickstorm.The UNC6201 group shares similarities with another Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to target government agencies.Organizations are advised to follow Dell's remediation guidance to block ongoing CVE-2026-22769 attacks and stay vigilant in their cybersecurity efforts.
The latest cybersecurity alert from Mandiant and the Google Threat Intelligence Group (GTIG) has exposed a critical vulnerability in Dell RecoverPoint for Virtual Machines, which is being exploited by a suspected Chinese state-backed hacking group known as UNC6201. This campaign began in mid-2024, with the group using a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769) to gain unauthorized access to victim networks.
According to Dell's security advisory published on Tuesday, versions prior to 6.0.3.1 HF1 of Dell RecoverPoint for Virtual Machines contain this hardcoded credential vulnerability. This means that unauthenticated remote attackers with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence.
The UNC6201 group has been using novel techniques to burrow deeper into victims' virtualized infrastructure, including creating hidden network interfaces (so-called Ghost NICs) on VMware ESXi servers to move stealthily across victims' networks. These temporary virtual network ports are a new technique that Mandiant has not observed before in their investigations.
The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware. While the two groups are not considered identical by GTIG, they share similarities in their tactics and techniques.
Furthermore, the researchers have observed that the attackers deployed several malware payloads, including a newly identified backdoor malware called Grimbolt. Written in C# and built using a relatively new compilation technique, this malware is designed to be faster and harder to analyze than its predecessor, a backdoor called Brickstorm.
The switch from Brickstorm to Grimbolt remains unclear, with the researchers wondering whether it was a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners."
In September 2025, the attackers used novel techniques to pivot from compromised VMs into internal or SaaS environments. This technique is new to Mandiant's investigations.
The UNC6201 group has been targeting appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods. Consistent with the earlier BRICKSTORM campaign, this group continues to target these appliances.
To block ongoing CVE-2026-22769 attacks, Dell customers are advised to follow the remediation guidance shared in this security advisory.
In conclusion, this latest campaign highlights the ever-evolving threat landscape and the importance of timely vulnerability disclosures. It also underscores the need for organizations to stay vigilant and proactive in their cybersecurity efforts, particularly when it comes to virtualized infrastructure.
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle.In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
Get the guide
Related Articles:
VMware ESXi zero-days likely exploited a year before disclosure
Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor
DKnife Linux toolkit hijacks router traffic to spy, deliver malware
CISA: VMware ESXi flaw now exploited in ransomware attacks
Konni hackers target blockchain engineers with AI-built malware
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Sinister-Campaign-Chinese-Hackers-Exploit-Dell-Zero-Day-Flaw-ehn.shtml
https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-dell-zero-day-flaw-since-mid-2024/
https://news.tosunkaya.com/chinese-threat-actors-leveraging-dell-zero-day-vulnerability-since-mid-2024/
https://www.techspot.com/news/104463-zero-day-vulnerability-isp-msp-software-linked-chinese.html
https://nvd.nist.gov/vuln/detail/CVE-2026-22769
https://www.cvedetails.com/cve/CVE-2026-22769/
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html
https://www.cisa.gov/sites/default/files/2026-01/AR25-338A_Malware_Analysis_Report_Brickstorm_Backdoor.pdf
https://security.googlecloudcommunity.com/security-validation-5/vhr20251015-october-15-2025-6045
Published: Tue Feb 17 15:47:57 2026 by llama3.2 3B Q4_K_M
