Chinese State-Backed Hackers Exploit Critical Dell Zero-Day to Gain Stealthy Root Access Since 2024

Here is your rewritten article with all key points included, followed by 10 alternative headline options.

Chinese State-Linked Hackers Exploit Critical Dell Zero-Day Since Mid-2024

A suspected Chinese state-backed threat group has been secretly exploiting a critical zero-day vulnerability in Dell systems since mid-2024, according to findings from researchers at Mandiant and the Google Threat Intelligence Group (GTIG).

The attackers, tracked as UNC6201, targeted a maximum-severity hardcoded credential vulnerability identified as CVE-2026-22769 in Dell RecoverPoint for Virtual Machines. This product is widely used to back up and recover VMware virtual machines.

Critical Hardcoded Credential Flaw

According to a security advisory issued by Dell Technologies, versions of RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contain a hardcoded credential vulnerability.

The flaw allows an unauthenticated remote attacker — if aware of the embedded credentials — to gain unauthorized access to the underlying operating system. Successful exploitation can lead to root-level persistence, giving attackers deep and long-term control over compromised systems.

Dell has strongly urged customers to upgrade immediately or apply recommended mitigations to prevent further exploitation.

Deployment of New Grimbolt Malware

After breaching networks, UNC6201 deployed multiple malware strains, including a newly identified C# backdoor named Grimbolt.

Grimbolt was developed using a newer compilation method that makes it faster and more difficult to analyze compared to its predecessor, Brickstorm. Researchers observed the transition from Brickstorm to Grimbolt around September 2025.

It remains unclear whether this switch was a planned evolution of their toolset or a reaction to incident response actions conducted by Mandiant and industry partners.

Targeting VMware ESXi Infrastructure

The group focused heavily on virtualized environments, particularly VMware ESXi servers. One notable technique involved creating hidden virtual network interfaces, referred to as “Ghost NICs.”

These temporary virtual network ports allowed attackers to pivot from compromised virtual machines into internal networks or SaaS environments while remaining stealthy. According to investigators, this tactic has not been previously observed in other campaigns.

Similar to earlier Brickstorm attacks, UNC6201 deliberately targeted appliances and systems that typically do not run traditional endpoint detection and response (EDR) agents, enabling them to remain undetected for extended periods.

Links to Other Chinese Threat Clusters

Researchers identified overlaps between UNC6201 and another Chinese threat cluster known as UNC5221. That group previously exploited Ivanti zero-day vulnerabilities and deployed custom malware such as Spawnant and Zipline against government agencies.

UNC5221 has also been associated with the Chinese state-backed group Silk Typhoon, though investigators clarify that the two clusters are not considered identical.

In earlier investigations, Mandiant documented Brickstorm being used to establish long-term persistence within U.S. organizations in the legal and technology sectors. Meanwhile, CrowdStrike linked Brickstorm attacks targeting VMware vCenter servers in legal, technology, and manufacturing companies to a Chinese threat actor it tracks as Warp Panda.

Recommended Mitigation

To defend against ongoing exploitation of CVE-2026-22769, Dell customers are strongly advised to:

• Upgrade to version 6.0.3.1 HF1 or later
• Apply all recommended remediations listed in Dell’s official advisory
• Audit VMware ESXi environments for unusual virtual network interfaces
• Monitor for signs of Grimbolt or Brickstorm activity