Chinese hackers exploiting Dell zero-day flaw since mid-2024: CVE-2026-22769 (CVSS 10.0)

Estimated reading time: 6 minutes

Key Takeaways:

  • Critical Vulnerability: CVE-2026-22769 carries a CVSS score of 10.0 due to hardcoded credentials in Dell RecoverPoint for Virtual Machines.
  • State-Backed Threat: The campaign is attributed to UNC6201, a suspected Chinese state-sponsored actor targeting virtualization infrastructure.
  • Stealth Persistence: Attackers utilize a novel “Ghost NIC” technique to move laterally without leaving forensic traces in standard logs.
  • Malware Evolution: Threat actors have transitioned from the Brickstorm backdoor to a more sophisticated C# payload named Grimbolt.

Table of Contents:

Current threat data confirms that Chinese hackers exploiting Dell zero-day flaw since mid-2024 have targeted critical virtualization infrastructure. The vulnerability, tracked as CVE-2026-22769, carries a CVSS score of 10.0, indicating the highest possible level of severity. This flaw involves hardcoded credentials within Dell RecoverPoint for Virtual Machines, a solution utilized for VMware virtual machine backup and disaster recovery.

Research from Mandiant and the Google Threat Intelligence Group (GTIG) identifies the threat actor as UNC6201, a suspected Chinese state-backed cluster. Since the initial exploitation phase in mid-2024, these actors have utilized the vulnerability to gain unauthorized access to underlying operating systems, achieving root-level persistence on affected systems. The campaign targets appliances that lack traditional endpoint detection and response (EDR) agents, allowing the attackers to remain undetected for extended periods while moving laterally through virtualized environments.

Graphic showing Dell RecoverPoint for Virtual Machines vulnerability CVE-2026-22769 with hardcoded credentials

Chinese hackers exploiting Dell zero-day flaw since mid-2024: Technical Analysis of CVE-2026-22769

The core of this exploit lies in the presence of hardcoded credentials in Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. Hardcoded credentials represent a significant failure in secure coding practices, as they provide a static, predictable entry point for any unauthenticated remote attacker with knowledge of the specific string.

When an attacker leverages CVE-2026-22769, they bypass standard authentication protocols. Once the hardcoded credential is used to authenticate, the attacker gains root-level access. Because RecoverPoint is deeply integrated into the VMware ecosystem, this access provides a vantage point over the entire virtualized infrastructure. Attackers can view, modify, or delete backup data, which is a critical step in preparing for a secondary phase of an operation, such as data exfiltration or the deployment of a live ransomware API to disrupt recovery efforts.

Organizations utilizing a cyber threat intelligence platform have noted that UNC6201 specifically targets edge-facing management software. By compromising the backup and recovery plane, the threat actor ensures that even if the primary production environment is secured, the restoration path remains under their control.

Targeting VMware ESXi servers and the Ghost NIC Technique

A notable aspect of this campaign is the introduction of a novel persistence and lateral movement technique dubbed “Ghost NICs.” UNC6201 utilizes temporary virtual network interfaces on VMware ESXi servers to pivot from compromised virtual machines (VMs) into internal networks or SaaS environments.

Standard network monitoring often focuses on permanent virtual switches and established port groups. Ghost NICs are transient; they are created to facilitate a specific connection and then removed, leaving minimal forensic evidence in standard logs. This technique allows the actor to bypass network segmentation and firewall rules that rely on static MAC addresses or known interface identifiers.

The use of Ghost NICs demonstrates a high level of proficiency in VMware’s VMkernel networking stack. By manipulating the ESXi management layer, UNC6201 can create a bridge between the compromised Dell RecoverPoint appliance and other sensitive segments of the network. This capability highlights the necessity for supply-chain risk monitoring and breach detection strategies that extend beyond the guest OS and into the hypervisor layer.

Malware Evolution: From Brickstorm to Grimbolt

UNC6201 has transitioned its toolset during this campaign, moving from a backdoor known as Brickstorm to a newer, more sophisticated payload called Grimbolt.

Brickstorm Analysis

Brickstorm is a C++ backdoor that has been previously associated with Chinese threat clusters like UNC5221 and Warp Panda. It is designed for long-term persistence and focuses on environment enumeration and command execution. It typically communicates over HTTPS, masking its command-and-control (C2) traffic as standard web activity.

Grimbolt Analysis

In September 2025, researchers observed the deployment of Grimbolt, a backdoor written in C#. Unlike Brickstorm, Grimbolt utilizes modern compilation and obfuscation techniques that make it significantly harder for static analysis tools to signature. It is designed for speed and efficiency, reducing the overhead on the compromised host to further avoid detection.

The shift to Grimbolt may be a response to the cybersecurity industry’s increasing ability to detect Brickstorm. This evolution in the malware lifecycle is often tracked through a dark web monitoring service or via telegram threat monitoring, where threat actors discuss the efficacy of their tools against specific EDR solutions.

Attribution and Overlap with Known Threat Groups

The activities of UNC6201 show significant overlaps with other Chinese state-sponsored groups. Specifically, Mandiant and GTIG have identified tactical and tool-based similarities with UNC5221. This group gained notoriety for exploiting Ivanti zero-days to target government agencies and technology firms.

CrowdStrike tracks a similar set of activities under the name Warp Panda. Both UNC5221 and Warp Panda have a history of targeting VMware vCenter servers and legal, manufacturing, and technology sectors in the United States. The common thread across these groups is the use of the Brickstorm backdoor and a focus on “living-off-the-land” (LotL) techniques that abuse legitimate administrative tools to conduct malicious activities.

The targeting of Dell RecoverPoint is consistent with the strategic objectives of Chinese cyber espionage: gaining long-term access to critical data repositories. By monitoring underground forum intelligence, analysts have observed a persistent interest in vulnerabilities affecting enterprise-grade backup solutions.

Supply Chain Implications and Enterprise Risk

The exploitation of a zero-day in a widely used product like Dell RecoverPoint highlights the ongoing challenges of supply-chain security. When a vendor includes hardcoded credentials in a shipping product, the vulnerability is introduced into the customer’s environment at the moment of installation.

For large enterprises, managing these risks requires more than just reactive patching. It necessitates a proactive supply-chain risk monitoring program that evaluates the security posture of third-party software and hardware. In this case, the vulnerability remained unknown to the public for months while being actively exploited by a state-backed actor. Furthermore, the integration of backup solutions with the hypervisor creates a massive attack surface. If the backup system is compromised, the integrity of the entire disaster recovery plan is negated. This makes real-time ransomware intelligence vital for modern defense.

Detection and Forensic Indicators

Identifying the presence of UNC6201 requires a multi-layered approach to logging and analysis. Since the actors focus on platforms without EDR, defenders must rely on network-level telemetry and hypervisor logs.

  • Network Indicators: Defenders should monitor for unusual outbound connections from Dell RecoverPoint appliances. Analyzing traffic patterns for persistent, low-volume data transfers can indicate the presence of backdoors like Grimbolt.
  • ESXi Log Analysis: To detect Ghost NICs, administrators should examine VMware ESXi vmkernel.log and hostd.log for the creation and deletion of virtual adapters that do not correspond to authorized configuration changes.
  • Credential Use: Monitoring for the use of the hardcoded credential associated with CVE-2026-22769 is critical. Organizations should also look for brand leak alerting notifications that might indicate these credentials have been traded in the cyber-criminal underground.

Technical Practical Takeaways

For engineering and security teams, the following technical actions are necessary to address the risks posed by CVE-2026-22769:

  1. Immediate Patching: Update Dell RecoverPoint for Virtual Machines to version 6.0.3.1 HF1 or later.
  2. ESXi Hardening: Restrict management access to ESXi servers using host-based firewalls and dedicated management networks (OOB).
  3. Log Centralization: Ensure that logs from Dell RecoverPoint and VMware ESXi are forwarded to a centralized SIEM for breach detection alerting.
  4. Vulnerability Scanning: Use a cyber-threat intelligence platform to scan internal environments for the specific version of RecoverPoint affected by this flaw.
  5. Credential Rotation: Assume that any credentials managed by the RecoverPoint appliance may have been compromised and perform a comprehensive rotation.

Strategic Practical Takeaways

For business leaders and CISOs, the Dell zero-day exploit serves as a case study in infrastructure risk management:

  • Audit Backup Security: Review the security configuration of all backup and recovery solutions, ensuring they are isolated and require MFA.
  • Review Third-Party Risk: Evaluate the security practices of software vendors, specifically looking for historical issues with hardcoded credentials.
  • Enhance Visibility: Invest in tools that provide visibility into the hypervisor layer where traditional EDR is insufficient.
  • Intelligence Integration: Incorporate dark web monitoring service and underground forum intelligence into the security operations center (SOC) for early warning.

PurpleOps Expertise in Threat Intelligence and Infrastructure Security

PurpleOps provides the technical depth and specialized services required to defend against sophisticated state-backed actors like UNC6201.

  • Cyber Threat Intelligence: Our cyber threat intelligence services provide real-time data on emerging zero-days and threat actor tactics.
  • Dark Web Monitoring: Through our dark web monitoring capabilities, we identify leaked credentials before an exploit occurs.
  • Ransomware Protection: Our ransomware protection strategies ensure that your data remains resilient even in the face of maximum-severity vulnerabilities.
  • Supply Chain Security: We assist organizations in supply chain information security by auditing third-party software risks.
  • Penetration Testing: Our penetration testing and red team operations simulate the tactics used by Chinese state-sponsored actors to test your defenses.

Modern security requires a platform-centric approach. Organizations must move beyond simple patch management and integrate ongoing services focused on vulnerability research and infrastructure hardening.

Frequently Asked Questions

What is CVE-2026-22769?
It is a critical vulnerability (CVSS 10.0) in Dell RecoverPoint for Virtual Machines caused by hardcoded credentials, allowing unauthenticated remote attackers to gain root access to the system.

Who is the threat actor behind the Dell zero-day exploitation?
The activity is attributed to UNC6201, a cluster believed to be state-sponsored Chinese hackers who specialize in targeting virtualization and backup infrastructure.

What is the “Ghost NIC” technique?
A method where attackers create temporary virtual network interfaces on VMware ESXi servers to move laterally and bypass network security controls, leaving minimal traces in standard logs.

Which malware is associated with this campaign?
The group initially used the Brickstorm backdoor but evolved to use Grimbolt, a C#-based backdoor designed for better obfuscation and efficiency.

How can I protect my organization from CVE-2026-22769?
Immediately patch Dell RecoverPoint to version 6.0.3.1 HF1, harden ESXi management access, and implement advanced logging to detect unauthorized virtual hardware modifications.