A critical zero day flaw in Dell RecoverPoint for Virtual Machines was secretly exploited by a China linked hacking group for at least 18 months before it was publicly disclosed.
Quick Summary – TLDR:
- A critical vulnerability tracked as CVE 2026 22769 was exploited since mid 2024.
- The flaw allowed unauthenticated attackers to gain root level persistence.
- The China linked group UNC6201 deployed GrimBolt, BrickStorm and SlayStyle malware.
- Dell has released a patch and is urging customers to update immediately.
What Happened?
Security researchers at Google Threat Intelligence Group and Mandiant revealed that a China linked threat group tracked as UNC6201 exploited a hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines. The flaw allowed attackers to gain full system access and remain hidden inside networks for extended periods.
Dell confirmed the vulnerability, identified as CVE 2026 22769, affects versions prior to 6.0.3.1 HF1 and carries a severity score of 10 out of 10.
From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
— blackorbird (@blackorbird) February 18, 2026
CVE-2026-22769 Dell RecoverPoint for Virtual Machineshttps://t.co/MEixQ6Ukqb pic.twitter.com/yI1fBflfAy
A Hardcoded Credential Opens the Door
At the center of the campaign is a hardcoded administrator password embedded in Dell RecoverPoint for Virtual Machines. The product is widely used to manage backup and disaster recovery for VMware virtual machines, making it a high value target inside enterprise environments.
According to Dell’s advisory, an unauthenticated remote attacker with knowledge of the credential could gain access to the underlying operating system and achieve root level persistence. In simple terms, this means attackers could fully control affected systems without needing valid login credentials.
Dell said it received reports of limited active exploitation and has since released a security update. The company is urging customers to apply the patch as soon as possible.
UNC6201 and Links to Silk Typhoon
Researchers attribute the exploitation to UNC6201, a newly documented threat cluster that overlaps with UNC5221, also known as Silk Typhoon. The broader campaign highlights how China state sponsored actors are embedding themselves inside networks for long term espionage.
Google researchers noted that exploitation began as early as mid 2024. The attackers may have maintained access for more than 400 days in some environments. Fewer than a dozen organizations are currently confirmed as impacted in this latest wave, but researchers believe the true scale may be larger.
Austin Larsen, principal analyst at Google Threat Intelligence Group, warned that organizations previously targeted by BrickStorm should now look for GrimBolt in their environments.
From BrickStorm to GrimBolt
Initially, the group deployed BrickStorm, a Go based backdoor designed to target VMware vCenter servers. In September 2025, researchers observed the attackers replacing BrickStorm with a newer and more advanced backdoor called GrimBolt.
GrimBolt is written in C# and compiled using native ahead of time compilation. It is also packed with UPX, making it significantly harder to analyze. The malware provides remote shell access, giving attackers persistent control over compromised systems.
In addition to these backdoors, the campaign also involved a web shell known as SlayStyle. Researchers observed attackers creating so called ghost network interface cards on virtual machines to blend malicious traffic with legitimate activity. These ghost NICs were later deleted to make forensic investigation more difficult.
Charles Carmakal, CTO at Mandiant, highlighted a broader concern. He said that nation state threat actors continue targeting systems that do not commonly support endpoint detection and response tools, making it much harder for organizations to detect compromise.
National Security Implications
The campaign fits into a wider pattern of China linked groups targeting critical infrastructure, government agencies and enterprise systems. The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security recently shared indicators of compromise related to BrickStorm to help defenders detect activity.
However, researchers caution that the threat actors may already be moving forward with new tools and possibly undiscovered zero days. Much of their activity likely remains unknown.
SQ Magazine’s Takeaway
Here is what stands out to me. This was not a smash and grab attack. This was quiet, patient, and strategic. An 18 month window of undetected access inside enterprise backup systems is serious. If attackers control your recovery platform, they potentially control everything.
What worries me most is the dwell time. When hackers can sit inside networks for more than a year, that signals a visibility problem across the industry. Patching is critical right now. If your organization runs Dell RecoverPoint for Virtual Machines, updating should be a top priority today.
