A suspected Chinese state-backed group has been exploiting a critical Dell vulnerability in zero-day attacks since mid-2024, deploying new malware and novel techniques to target VMware infrastructure.
A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024. Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) revealed today that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
"Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability," Dell explains in a security advisory published on Tuesday. "This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible."
Once inside a victim's network, UNC6201 deployed several malware payloads, including newly identified backdoor malware called Grimbolt. Written in C# and built using a relatively new compilation technique, this malware is designed to be faster and harder to analyze than its predecessor, a backdoor called Brickstorm.
While the researchers have observed the group swapping out Brickstorm for Grimbolt in September 2025, it remains unclear whether the switch was a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners."
Targeting VMware ESXi servers
The attackers also used novel techniques to burrow deeper into victims' virtualized infrastructure, including creating hidden network interfaces (so-called Ghost NICs) on VMware ESXi servers to move stealthily across victims' networks.
"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant communications manager Mark Karayan told BleepingComputer.
"Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods."
The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware and previously linked to the notorious Silk Typhoon Chinese state-backed threat group (although the two are not considered identical by GTIG).
GTIG added in September that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant in April 2024) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has linked Brickstorm malware attacks targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
To block ongoing CVE-2026-22769 attacks, Dell customers are advised to follow the remediation guidance shared in this security advisory.
Technical Analysis of the Attack Chain
The exploitation of CVE-2026-22769 represents a sophisticated attack vector that leverages hardcoded credentials within Dell's RecoverPoint for Virtual Machines software. This type of vulnerability is particularly dangerous because it allows attackers to bypass authentication mechanisms entirely, granting them immediate access to the underlying operating system with root-level privileges.
Security experts note that hardcoded credentials are among the most severe vulnerabilities because they cannot be changed by system administrators once discovered. The fact that UNC6201 has been exploiting this flaw since mid-2024 suggests they may have discovered it through extensive research or possibly through access to source code or development environments.
Once initial access is gained through the Dell vulnerability, the attackers deploy Grimbolt, which represents an evolution in their malware arsenal. The use of C# and modern compilation techniques indicates the attackers are investing in developing tools that can evade traditional security controls. C# malware can be particularly challenging to detect because it often blends in with legitimate .NET applications commonly found in enterprise environments.
The Ghost NIC technique employed by UNC6201 demonstrates advanced knowledge of VMware's virtualization architecture. By creating temporary virtual network interfaces, the attackers can establish covert communication channels between compromised virtual machines and other network segments without triggering traditional network monitoring tools. This technique allows them to maintain persistence and move laterally through the network while avoiding detection.
Connection to Broader Threat Landscape
The overlap between UNC6201 and UNC5221 suggests a coordinated effort by Chinese state-sponsored actors to target critical infrastructure and enterprise environments. Both groups have demonstrated sophisticated capabilities in exploiting zero-day vulnerabilities and developing custom malware tools.
The connection to the Silk Typhoon group, while not confirming identity, indicates these operations may be part of a larger strategic campaign by Chinese intelligence services to gather intelligence from U.S. organizations across multiple sectors including legal, technology, and manufacturing.
CrowdStrike's tracking of similar Brickstorm attacks under the Warp Panda designation further reinforces the pattern of Chinese state-sponsored groups targeting VMware infrastructure, which is widely used in enterprise environments for virtualization and cloud computing services.
Mitigation and Response
Organizations using Dell RecoverPoint for Virtual Machines should immediately review their systems against the affected versions and apply the recommended patches or remediation steps outlined in Dell's security advisory. Given the severity of the vulnerability and the evidence of active exploitation, prompt action is essential.
Security teams should also review their VMware ESXi environments for any signs of Ghost NIC creation or other suspicious network interface activity. The covert nature of these techniques means that traditional security monitoring may not detect them, requiring more advanced behavioral analysis and network traffic inspection.
Organizations should also consider implementing additional monitoring for C# applications and .NET framework usage, particularly for any unusual compilation patterns or execution behaviors that might indicate Grimbolt or similar malware.
The discovery of this long-running exploitation campaign highlights the importance of timely patch management and the need for organizations to assume that sophisticated adversaries may already have knowledge of vulnerabilities before they are publicly disclosed. Regular security assessments, network segmentation, and advanced threat detection capabilities are essential components of a defense-in-depth strategy against state-sponsored threat actors.
The ongoing nature of these attacks, spanning from mid-2024 through at least September 2025, demonstrates the persistence and patience of Chinese state-sponsored hacking groups in maintaining access to valuable targets. Organizations must remain vigilant and assume that any vulnerability in their infrastructure could potentially be exploited by determined adversaries with significant resources and expertise.
Comments
Please log in or register to join the discussion