ACCORDING to Google Threat Intelligence Group (GTIG) and Mandiant, a suspected China-linked APT exploited a critical Dell RecoverPoint for Virtual Machines zero-day, tracked as CVE-2026-22769, in attacks dating from mid-2024. The vulnerability, which has a CVSSv3.1 score of 10.0, involved hardcoded credentials that allowed unauthenticated remote access to the underlying operating system and enabled persistence.
The activity, linked to UNC6201—a suspected PRC-nexus threat cluster—included lateral movement, persistence, and the deployment of malware families such as SLAYSTYLE, BRICKSTORM, and a new backdoor named GRIMBOLT. Dell RecoverPoint appliances prior to version 6.0.3[.]1 HF1 were affected, with Dell advising customers to upgrade or apply mitigations; Google/Mandiant reported limited active exploitation.
Investigations noted that the group used techniques such as Ghost NICs for VMware pivoting and iptables-based Single Packet Authorization to covertly control traffic on vCenter, while GRIMBOLT replaces BRICKSTORM in some incident responses and provides remote shell access via the same C2 channels. The reporting, published on 18 February 2026, confirms that Dell had issued patches and guidance, and highlights ongoing risks to affected environments.