A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024.

Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) revealed today that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.

"Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability," Dell explains in a security advisory published on Tuesday.

"This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible."

Once inside a victim's network, UNC6201 deployed several malware payloads, including newly identified backdoor malware called Grimbolt. Written in C# and built using a relatively new compilation technique, this malware is designed to be faster and harder to analyze than its predecessor, a backdoor called Brickstorm.

While the researchers have observed the group swapping out Brickstorm for Grimbolt in September 2025, it remains unclear whether the switch was a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners."

Targeting VMware ESXi servers

The attackers also used novel techniques to burrow deeper into victims' virtualized infrastructure, including creating hidden network interfaces (so-called Ghost NICs) on VMware ESXi servers to move stealthily across victims' networks.

"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant communications manager Mark Karayan told BleepingComputer.

"Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods."

The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware and previously linked to the notorious Silk Typhoon Chinese state-backed threat group (although the two are not considered identical by GTIG).

GTIG added in September that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant in April 2024) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has linked Brickstorm malware attacks targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.

To block ongoing CVE-2026-22769 attacks, Dell customers are advised to follow the remediation guidance shared in this security advisory.