A zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines product has been exploited by a China-linked cyberespionage group since at least mid-2024, Google’s Threat Intelligence Group (GTIG) and Mandiant reported on Tuesday.
Exploitation of the vulnerability identified as CVE-2026-22769 has been attributed by GTIG and Mandiant to a threat actor tracked as UNC6201. The hackers exploited the flaw for lateral movement, persistence, and malware deployment.
Dell RecoverPoint for Virtual Machines, part of the vendor’s data protection offering, provides resilience and disaster recovery functionality for VMware VMs.
According to Dell’s advisory for CVE-2026-22769, the vulnerability is a hardcoded credential issue affecting RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. The tech giant has advised users to update their installations to the patched version as soon as possible.
“[CVE-2026-22769] is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence,” Dell said.
This appears to be the first public mention of the threat group UNC6201, but Google pointed out that it has found links to UNC5221, a China-nexus APT known for dwelling in compromised networks for hundreds of days to obtain valuable information.
Google previously detailed UNC5221’s use of the BrickStorm malware. In a September 2025 report the company noted that the threat group may have used some of the stolen information to identify zero-day vulnerabilities in enterprise technologies. It’s unclear if CVE-2026-22769 may be one of those zero-days.
In its new report, Google revealed that the newly documented group, UNC6201, had also used the BrickStorm malware, but in September 2025 it started replacing it with a new piece of malware named GrimBolt.
GrimBolt is a backdoor developed in C# that is compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it more difficult to analyze. The malware provides remote shell capabilities.
“It’s unclear if the threat actor’s replacement of BrickStorm with GrimBolt was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” GTIG and Mandiant said.
Both GrimBolt and BrickStorm were deployed on systems running Dell RecoverPoint for Virtual Machines. The initial access method has yet to be confirmed, but one likely vector is edge appliances.
In addition to GrimBolt and BrickStorm, the attacks exploiting CVE-2026-22769 involved the deployment of a web shell named SlayStyle.
Google researchers also discovered that UNC6201 created ‘ghost NICs’ on VMs. After carrying out their malicious activities, the threat actors deleted the NICs, making the attack stealthier and more difficult to investigate.
Mandiant CTO Charles Carmakal noted in a LinkedIn post that “nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”
GTIG and Mandiant have made available indicators of compromise (IoCs) to help defenders detect potential attacks.
Related: China Revives Tianfu Cup Hacking Contest Under Increased Secrecy
Related: Japan, Britain to Boost Cybersecurity and Critical Minerals Cooperation as China’s Influence Grows
Related: Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
