Cybersecurity researchers have uncovered further alarming details regarding a persistent Chinese state-sponsored cyber espionage campaign. This ongoing operation, linked to the threat group UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024, demonstrating how sophisticated attacks can evade detection for extended periods.
The findings, released by Google Threat Intelligence Group and Mandiant, reveal that UNC6201 has been actively leveraging a previously unknown flaw in Dell’s virtualization software. This group is closely associated with UNC5221, also identified as Silk Typhoon, which has been operating undetected within critical infrastructure and government networks since at least 2022. The exploitation of this zero-day vulnerability represents an escalation in the group’s tactics.
China State-Sponsored Campaign Escalates with Zero-Day Exploitation
Threat actors associated with this China state-sponsored campaign spent years deploying a stealthy malware called Brickstorm before its discovery last summer. However, by September, these actors had transitioned to a more advanced and harder-to-detect tool known as Grimbolt, according to Google’s security researchers. This shift indicates a continuous effort by the group to refine its capabilities and maintain covert access.
The zero-day vulnerability, cataloged as CVE-2026-22769, stems from a hardcoded administrator password within Dell RecoverPoint for Virtual Machines, which was reportedly pulled from Apache Tomcat. This vulnerability carries a critical CVSS score of 10/10, signifying its severity. The Chinese threat group has been exploiting this hardcoded password, which allows unauthenticated remote attackers to gain full system access with root-level persistence for at least 18 months, Google reported.
Dell Technologies Responds to Vulnerability Disclosure
Dell Technologies publicly disclosed the vulnerability and issued a patch on Tuesday. A spokesperson for the company advised customers to implement the guidance provided in its security advisory to mitigate the risk. The company acknowledged awareness of a limited number of impacted organizations but stressed the need for vigilance.
Austin Larsen, principal analyst at GTIG, indicated that while less than a dozen organizations were initially identified as impacted, the full scope of the campaign remains unknown. He recommended that organizations previously targeted by Brickstorm should actively search for signs of Grimbolt within their environments. The Cybersecurity and Infrastructure Security Agency (CISA) previously detailed the Brickstorm campaign in December, noting that dozens of U.S. organizations had already been affected.
The ongoing nature of this threat is a significant concern. Larsen further noted that the threat actor is likely still active in unpatched and remediated environments. Given that exploitation began in mid-2024, attackers have had substantial time to establish persistence and conduct long-term espionage operations.
This campaign is part of broader efforts by China state-sponsored groups aiming to gain long-term access, disrupt operations, and potentially conduct sabotage within targeted networks. Such activities are a major focus for national security agencies.
In response to the evolving threat landscape, CISA, the National Security Agency, and the Canadian Centre for Cyber Security released updated analysis, including indicators of compromise, to assist potential victims in detecting malicious activity. However, the China-linked groups have already progressed to deploying Grimbolt, often replacing older Brickstorm binaries with the new backdoor, which is designed to be more challenging to reverse engineer.
Marci McCarthy, director of public affairs at CISA, indicated that the agency would provide additional information on Wednesday. Google’s latest research underscores the persistent nature of this threat group and its capacity to remain undetected within victim networks for over a year, creating a significant challenge for defenders and cybersecurity authorities.
While these threat groups typically target edge applications and systems lacking endpoint detection and response capabilities, researchers are still working to understand the initial intrusion vectors for the most recently identified victims. A comprehensive understanding of the full extent of these threat actors’ activities remains elusive.
Larsen concluded that a significant portion of UNC5221 and UNC6201’s operations likely remain undiscovered. He expressed a strong probability that they are developing or utilizing new zero-day exploits and malware. The most concerning aspect, according to Larsen, is the likelihood that additional organizations have been compromised by this campaign and are currently unaware of the breach.
Dell Technologies has provided a patch, and government agencies are sharing threat intelligence. The next steps will involve monitoring for further activity from these groups and assessing the success of patching efforts. The ongoing evolution of Grimbolt malware and the potential discovery of new zero-day vulnerabilities remain key areas of concern.