A suspected Chinese state-backed group, UNC6201, has been exploiting a hardcoded-credential zero-day (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024 to gain unauthenticated access and root persistence. The intruders deployed a new C# backdoor called Grimbolt (replacing Brickstorm) and used stealthy Ghost NICs on VMware ESXi to move laterally; Dell urges immediate remediation. #UNC6201 #Grimbolt
Keypoints
- UNC6201 exploited a hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines.
- The flaw allows unauthenticated attackers to gain unauthorized OS access and root-level persistence.
- Attackers deployed a new C# backdoor, Grimbolt, which replaced the earlier Brickstorm malware.
- They used temporary virtual network ports (βGhost NICsβ) on VMware ESXi to pivot stealthily across networks.
- Dell recommends upgrading or applying remediations immediately to block ongoing exploitation.