SQ Magazine

Smarter Insights for a Fast-Moving Digital World

Subscribe To Our Newsletter

Dell RecoverPoint Zero Day Exploited by Chinese Hackers

Updated on:
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer
Sofia Ramirez
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
Dutch Telecom Giant Odido Suffers Major Cyberattack
WPvivid Plugin Bug Lets Hackers Take Over WordPress Sites
Buy Now, Pay Later Statistics 2026: What’s Next
Barry Elad
Reviewed By
Barry Elad
Barry Elad
Founder & Senior Journalist
Barry Elad
Barry Elad is a seasoned journalist and analyst specializing in finance, technology, AI, and founder of SQ Magazine. He explores the world o...
LATEST POSTS:
Hong Kong SFC Approves Victory Fintech Crypto License
deBridge Launches MCP API for AI Driven Cross Chain Transactions
Manus Launches AI Agents on Telegram With Full Task Execution
As Featured In
BluehostActive CampaignDesignrushSeeking AlphaResearch Com

A critical zero day flaw in Dell RecoverPoint for Virtual Machines was secretly exploited by a China linked hacking group for at least 18 months before it was publicly disclosed.

Quick Summary – TLDR:

  • A critical vulnerability tracked as CVE 2026 22769 was exploited since mid 2024.
  • The flaw allowed unauthenticated attackers to gain root level persistence.
  • The China linked group UNC6201 deployed GrimBolt, BrickStorm and SlayStyle malware.
  • Dell has released a patch and is urging customers to update immediately.

What Happened?

Security researchers at Google Threat Intelligence Group and Mandiant revealed that a China linked threat group tracked as UNC6201 exploited a hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines. The flaw allowed attackers to gain full system access and remain hidden inside networks for extended periods.

Dell confirmed the vulnerability, identified as CVE 2026 22769, affects versions prior to 6.0.3.1 HF1 and carries a severity score of 10 out of 10.

A Hardcoded Credential Opens the Door

At the center of the campaign is a hardcoded administrator password embedded in Dell RecoverPoint for Virtual Machines. The product is widely used to manage backup and disaster recovery for VMware virtual machines, making it a high value target inside enterprise environments.

According to Dell’s advisory, an unauthenticated remote attacker with knowledge of the credential could gain access to the underlying operating system and achieve root level persistence. In simple terms, this means attackers could fully control affected systems without needing valid login credentials.

Dell said it received reports of limited active exploitation and has since released a security update. The company is urging customers to apply the patch as soon as possible.

Researchers attribute the exploitation to UNC6201, a newly documented threat cluster that overlaps with UNC5221, also known as Silk Typhoon. The broader campaign highlights how China state sponsored actors are embedding themselves inside networks for long term espionage.

Google researchers noted that exploitation began as early as mid 2024. The attackers may have maintained access for more than 400 days in some environments. Fewer than a dozen organizations are currently confirmed as impacted in this latest wave, but researchers believe the true scale may be larger.

Austin Larsen, principal analyst at Google Threat Intelligence Group, warned that organizations previously targeted by BrickStorm should now look for GrimBolt in their environments.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

From BrickStorm to GrimBolt

Initially, the group deployed BrickStorm, a Go based backdoor designed to target VMware vCenter servers. In September 2025, researchers observed the attackers replacing BrickStorm with a newer and more advanced backdoor called GrimBolt.

GrimBolt is written in C# and compiled using native ahead of time compilation. It is also packed with UPX, making it significantly harder to analyze. The malware provides remote shell access, giving attackers persistent control over compromised systems.

In addition to these backdoors, the campaign also involved a web shell known as SlayStyle. Researchers observed attackers creating so called ghost network interface cards on virtual machines to blend malicious traffic with legitimate activity. These ghost NICs were later deleted to make forensic investigation more difficult.

Charles Carmakal, CTO at Mandiant, highlighted a broader concern. He said that nation state threat actors continue targeting systems that do not commonly support endpoint detection and response tools, making it much harder for organizations to detect compromise.

National Security Implications

The campaign fits into a wider pattern of China linked groups targeting critical infrastructure, government agencies and enterprise systems. The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security recently shared indicators of compromise related to BrickStorm to help defenders detect activity.

However, researchers caution that the threat actors may already be moving forward with new tools and possibly undiscovered zero days. Much of their activity likely remains unknown.

SQ Magazine Takeaway

Here is what stands out to me. This was not a smash and grab attack. This was quiet, patient, and strategic. An 18 month window of undetected access inside enterprise backup systems is serious. If attackers control your recovery platform, they potentially control everything.

What worries me most is the dwell time. When hackers can sit inside networks for more than a year, that signals a visibility problem across the industry. Patching is critical right now. If your organization runs Dell RecoverPoint for Virtual Machines, updating should be a top priority today.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Related Posts

Spain court orders NordVPN to block LaLiga pirate streams
Internet

Spain court orders NordVPN to block LaLiga pirate streams
HIVE Reports Record Q3 Revenue of 93.1 Million as Hashrate Hits 25 EH
Cryptocurrency

HIVE Reports Record Q3 Revenue of 93.1 Million as Hashrate Hits 25 EH
Infosys Partners With Anthropic to Deploy Claude AI Agents
Artificial Intelligence

Infosys Partners With Anthropic to Deploy Claude AI Agents

Reader Interactions

Leave a Comment

Company
Discover
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.