Chinese APT Group Exploits Dell Zero-Day for Two Years

First reported

18.02.2026 12:10

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A Chinese APT group, identified as UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. The flaw, a hardcoded credential bug with a CVSS score of 10.0, allows unauthenticated attackers to gain root-level access and maintain persistence. The group has used this vulnerability to deploy malware, including Slaystyle, Brickstorm, and a new backdoor called Grimbolt. Mandiant has also observed novel tactics such as creating ghost NICs and using iptables for single packet authorization (SPA).

Timeline

18.02.2026 12:10 1 articles · 13h ago

Chinese APT Group Exploits Dell Zero-Day for Two Years
A Chinese APT group, UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. The flaw, a hardcoded credential bug with a CVSS score of 10.0, allows unauthenticated attackers to gain root-level access and maintain persistence. The group has used this vulnerability to deploy malware, including Slaystyle, Brickstorm, and a new backdoor called Grimbolt. Mandiant has also observed novel tactics such as creating ghost NICs and using iptables for single packet authorization (SPA).
Show sources

Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10
Open in new tab

Information Snippets

CVE-2026-22769 is a hardcoded credential bug with a CVSS score of 10.0.
First reported: 18.02.2026 12:10

1 source, 1 article
Show sources
- Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10
The vulnerability affects versions of Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1.
First reported: 18.02.2026 12:10

1 source, 1 article
Show sources
- Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10
UNC6201 has been exploiting the flaw since at least mid-2024.
First reported: 18.02.2026 12:10

1 source, 1 article
Show sources
- Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10
The group has used the vulnerability to deploy malware including Slaystyle, Brickstorm, and Grimbolt.
First reported: 18.02.2026 12:10

1 source, 1 article
Show sources
- Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10
Grimbolt is a new backdoor written in C# and compiled using native AOT techniques to evade analysis.
First reported: 18.02.2026 12:10

1 source, 1 article
Show sources
- Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10
UNC6201 has targeted VMware virtual infrastructure, creating ghost NICs and using iptables for SPA.
First reported: 18.02.2026 12:10

1 source, 1 article
Show sources
- Chinese APT Group Exploits Dell Zero-Day for Two Years — www.infosecurity-magazine.com — 18.02.2026 12:10