A suspected Chinese language state-backed hacking group has been quietly exploiting a crucial Dell safety flaw in zero-day assaults that began in mid-2024.
Safety researchers from Mandiant and the Google Menace Intelligence Group (GTIG) revealed right this moment that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769) in Dell RecoverPoint for Digital Machines, an answer used for VMware digital machine backup and restoration.
“Dell RecoverPoint for Digital Machines, variations prior to six.0.3.1 HF1, include a hardcoded credential vulnerability,” Dell explains in a safety advisory printed on Tuesday.
“That is thought-about crucial as an unauthenticated distant attacker with data of the hardcoded credential may probably exploit this vulnerability resulting in unauthorized entry to the underlying working system and root-level persistence. Dell recommends that prospects improve or apply one of many remediations as quickly as potential.”
As soon as inside a sufferer’s community, UNC6201 deployed a number of malware payloads, together with newly recognized backdoor malware known as Grimbolt. Written in C# and constructed utilizing a comparatively new compilation method, this malware is designed to be sooner and more durable to investigate than its predecessor, a backdoor known as Brickstorm.
Whereas the researchers have noticed the group swapping out Brickstorm for Grimbolt in September 2025, it stays unclear whether or not the swap was a deliberate improve or “a response to incident response efforts led by Mandiant and different business companions.”
Focusing on VMware ESXi servers
The attackers additionally used novel strategies to burrow deeper into victims’ virtualized infrastructure, together with creating hidden community interfaces (so-called Ghost NICs) on VMware ESXi servers to maneuver stealthily throughout victims’ networks.
“UNC6201 makes use of momentary digital community ports (AKA “Ghost NICs”) to pivot from compromised VMs into inside or SaaS environments, a brand new method that Mandiant has not noticed earlier than of their investigations,” Mandiant communications supervisor Mark Karayan informed BleepingComputer.
“In keeping with the sooner BRICKSTORM marketing campaign, UNC6201 continues to focus on home equipment that usually lack conventional endpoint detection and response (EDR) brokers to stay undetected for lengthy intervals.”
The researchers have discovered overlaps between UNC6201 and a separate Chinese language risk cluster, UNC5221, recognized for exploiting Ivanti zero-days to goal authorities companies with customized Spawnant and Zipline malware and beforehand linked to the infamous Silk Storm Chinese language state-backed risk group (though the 2 will not be thought-about equivalent by GTIG).
GTIG added in September that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant in April 2024) to realize long-term persistence on the networks of a number of U.S. organizations within the authorized and know-how sectors, whereas CrowdStrike has linked Brickstorm malware assaults concentrating on VMware vCenter servers of authorized, know-how, and manufacturing corporations in the US to a Chinese language hacking group it tracks as Warp Panda.
To dam ongoing CVE-2026-22769 assaults, Dell prospects are suggested to comply with the remediation steerage shared in this safety advisory.
Fashionable IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, learn the way your staff can cut back hidden guide delays, enhance reliability by automated response, and construct and scale clever workflows on prime of instruments you already use.
