Zero-Day Exploitation of Dell RecoverPoint Linked to China-Nexus Threat Group UNC6201
A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been actively exploited by a suspected China-nexus threat cluster, identified as UNC6201, since mid-2024. Google Mandiant and Google Threat Intelligence Group (GTIG) revealed that this exploitation targets CVE-2026-22769, a severe flaw with a CVSS score of 10.0, stemming from hard-coded credentials in older versions of the software. This vulnerability allows unauthenticated remote attackers with knowledge of the credential to gain unauthorized access to the underlying operating system.
The compromised versions include specific iterations of RecoverPoint for Virtual Machines. Dell has provided detailed upgrade paths to remediate the vulnerability, emphasizing that the product is intended for secure, access-controlled internal networks, not untrusted or public networks. The exploitation method involves leveraging an “admin” user credential for an Apache Tomcat Manager instance. Attackers then deploy a web shell to execute commands as root on the appliance.
The threat actor, UNC6201, has been observed deploying sophisticated malware, including BRICKSTORM and a newer, more evasive variant dubbed GRIMBOLT. GRIMBOLT is described as a C# backdoor compiled using native ahead-of-time compilation, making reverse engineering more challenging. This malware is designed to blend in with the system’s native files, aiming to evade detection and minimize forensic traces on infected hosts.
Organizations across North America have been targeted by this campaign. Google has noted that GRIMBOLT exhibits enhanced features for detection evasion. UNC6201 shares tactical similarities with UNC5221, another China-nexus espionage group known for exploiting virtualization technologies and Ivanti zero-day vulnerabilities to distribute similar malware families. Despite these overlaps, the two clusters are currently assessed as distinct threat actors.
The BRICKSTORM malware has also been previously linked by CrowdStrike to a China-aligned adversary known as Warp Panda, indicating a broader pattern of malicious activity originating from this region. A notable tactic employed by UNC6201 involves the use of temporary virtual network interfaces, nicknamed “Ghost NICs.” These are used to pivot from compromised virtual machines into internal or SaaS environments before being deleted to obscure their tracks and impede investigations.
This reliance on appliances that typically lack traditional endpoint detection and response (EDR) agents allows UNC6201 to remain undetected for extended periods. While the exact method of initial access remains unclear, the group is known to target edge appliances to gain entry into target networks. Analysis of compromised VMware vCenter appliances has revealed specific iptable commands used by the web shell to manipulate network traffic, allowing the attackers to selectively accept and redirect connections.
The threat actor has been observed replacing older BRICKSTORM binaries with GRIMBOLT, a transition that occurred around September 2025. Both malware variants offer remote shell capabilities and utilize the same command-and-control infrastructure. It is not fully understood what prompted this shift to the more covert GRIMBOLT, whether it was a planned upgrade or a reaction to previous public disclosures of BRICKSTORM.
Nation-state threat actors specifically target systems that do not readily support EDR solutions, making it difficult for victim organizations to detect compromises and significantly extending “intrusion dwell times,” according to Mandiant’s Charles Carmakal. This activity underscores a continued trend of sophisticated attacks aimed at critical infrastructure and data protection systems.
This disclosure emerges amid other warnings from cybersecurity firms. Dragos recently reported on attacks by Chinese groups, such as Volt Typhoon, targeting Sierra Wireless Airlink gateways in the energy sectors. These attacks aimed to gain access to engineering workstations for data exfiltration. The Volt Typhoon campaign, which took place in July 2025, involved initial access through weaponized edge device vulnerabilities before patches were applied, leading to deeper operational technology (OT) intrusions.
Volt Typhoon’s attacks have reportedly evolved from data exfiltration to direct manipulation of engineering workstations, raising concerns about the potential for physical consequences. The use of cellular gateways provides unauthorized pathways into OT networks, bypassing conventional security controls. The ongoing focus on these types of vulnerabilities highlights the evolving tactics of state-sponsored threat actors.
The consistent targeting of systems lacking robust endpoint security suggests a strategic approach by these threat actors to maximize their operational effectiveness and minimize the risk of detection. Organizations using Dell RecoverPoint for Virtual Machines are urged to implement the recommended upgrades and ensure their network infrastructure is adequately secured and segmented. The continued exploration and exploitation of hard-coded credentials and legacy vulnerabilities by advanced persistent threats remain a significant concern for global cybersecurity.