Dell yesterday released a patch for a critical zero-day vulnerability in its RecoverPoint for Virtual Machines product, which Mandiant said has been silently exploited by a Chinese APT group since 2024.
CVE-2026-22769 is a hardcoded credential bug with a maximum CVSS score of 10.0.
An unauthenticated attacker with knowledge of the credential could easily gain access to the underlying OS and root-level persistence, Dell warned.
The zero-day vulnerability affects versions of the data backup and recovery solution prior to 6.0.3.1 HF1.
Read more on Chinese APT groups: European Governments Breached in Zero-Day Attacks Targeting Ivanti.
Mandiant said in a report published on February 18 that it traced back exploitation of CVE-2026-22769 as far as mid-2024, although there may have been activity prior to this.
“Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt,” it explained.
“The initial access vector for these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN concentrators) for initial access.”
In September last year, the group replaced the Brickstorm backdoor, which has been tied to Chinese cyber-espionage activity since at least March that year, with Grimbolt.
The new backdoor is apparently written in C# and compiled using native ahead-of-time (AOT) techniques to help evade analysis and improve performance.
“Unlike traditional .NET software that uses just-in-time (JIT) compilation at runtime, Native AOT-compiled binaries, introduced to .NET in 2022, are converted directly to machine-native code during compilation,” Mandiant explained.
“This approach enhances the software’s performance on resource-constrained appliances, ensures required libraries are already present in the file, and complicates static analysis by removing the common intermediate language (CIL) metadata typically associated with C# samples.”
Grimbolt, which provides a remote shell capability, uses the same command-and-control (C2) infrastructure as Brickstorm, the report added.
Mandiant Reveals Novel TTPs
Mandiant also observed UNC6201 using novel tactics to target VMware virtual infrastructure.
This includes the creation of new temporary network ports, or “ghost NICs,” on VMs running on an ESXi server.
“Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations,” the report noted.
Mandiant also revealed the use of iptables for single packet authorization (SPA).
The report claimed there are overlaps between UNC6201 and UNC5221, which has been tied to zero-day attacks on government agencies using Ivanti products.
