Chinese State Hackers Exploit Dell Zero-Day in Stealthy Campaign Targeting VMware Infrastructures

A sophisticated Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that began in mid-2024, according to new research from Mandiant and Google Threat Intelligence Group (GTIG). The campaign represents one of the most concerning developments in the ongoing cyber espionage landscape, with attackers leveraging advanced techniques to maintain persistent access to high-value targets.

The Critical Vulnerability at the Heart of the Attack

The vulnerability in question, tracked as CVE-2026-22769, is a maximum-severity hardcoded credential flaw discovered in Dell RecoverPoint for Virtual Machines—a solution designed for VMware virtual machine backup and recovery operations. This critical security flaw affects versions prior to 6.0.3.1 HF1 and allows unauthenticated remote attackers with knowledge of the hardcoded credential to potentially gain unauthorized access to the underlying operating system and establish root-level persistence.

“Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability,” Dell stated in its security advisory published on Tuesday. “This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.”

The company has urged customers to upgrade or apply remediation measures as soon as possible to protect against ongoing exploitation attempts.

UNC6201: The Shadowy Threat Actor Behind the Campaign

The attacks are attributed to UNC6201, a suspected Chinese state-sponsored hacking group that has demonstrated remarkable sophistication in its operational tactics. Once gaining initial access through the Dell vulnerability, UNC6201 deployed several malware payloads designed to establish persistent footholds within compromised networks.

Most notably, the group has been observed using a newly identified backdoor malware called Grimbolt. Written in C# and employing a relatively new compilation technique, Grimbolt represents a significant evolution in the group’s toolkit. The malware is specifically designed to be faster and more resistant to analysis than its predecessor, Brickstorm—a backdoor that has been previously associated with Chinese state-sponsored operations.

Security researchers observed UNC6201 swapping out Brickstorm for Grimbolt in September 2025, though the motivation behind this transition remains unclear. It’s uncertain whether this represents a planned upgrade in the group’s capabilities or a tactical response to incident response efforts led by Mandiant and other industry partners.

Advanced Techniques for VMware Infiltration

What makes this campaign particularly concerning is the group’s use of novel techniques to burrow deeper into victims’ virtualized infrastructure. UNC6201 has been observed creating hidden network interfaces—referred to as “Ghost NICs”—on VMware ESXi servers. These temporary virtual network ports allow the attackers to pivot from compromised virtual machines into internal or SaaS environments with minimal detection risk.

“UNC6201 uses temporary virtual network ports (AKA ‘Ghost NICs’) to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations,” said Mark Karayan, Mandiant communications manager, in comments to BleepingComputer.

This technique demonstrates the group’s deep understanding of virtualized environments and their ability to exploit the unique characteristics of these systems. By operating through these hidden network interfaces, the attackers can move laterally across victims’ networks while remaining largely undetected by traditional security measures.

Targeting Critical Infrastructure Blind Spots

Consistent with previous campaigns, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents. This strategic choice allows the group to maintain undetected access for extended periods, as these systems often fall outside the scope of conventional security monitoring.

The targeting of Dell RecoverPoint appliances is particularly significant because these systems are designed to handle critical backup and recovery operations. By compromising these systems, attackers can potentially access sensitive data, disrupt recovery operations, or use the compromised infrastructure as a staging ground for further attacks.

Connections to Other Chinese Threat Clusters

The research has uncovered intriguing overlaps between UNC6201 and another Chinese threat cluster known as UNC5221. This separate group has been linked to exploiting Ivanti zero-days to target government agencies, deploying custom malware including Spawnant and Zipline.

UNC5221 has been previously associated with the notorious Silk Typhoon Chinese state-backed threat group, though GTIG researchers note that while there are similarities between the two clusters, they are not considered identical operations.

In September, GTIG added that UNC5221 hackers used Brickstorm—first documented by Google subsidiary Mandiant in April 2024—to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors. Additionally, CrowdStrike has linked Brickstorm malware attacks targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.

The Broader Implications for Cybersecurity

This campaign highlights several critical trends in the evolving cybersecurity landscape. First, it demonstrates the continued sophistication of Chinese state-sponsored threat actors, who are increasingly leveraging zero-day vulnerabilities and developing custom malware to achieve their objectives.

Second, it underscores the growing importance of securing virtualized infrastructure, which has become a prime target for advanced persistent threat (APT) groups. As organizations increasingly rely on virtualization technologies, the attack surface for these systems expands, creating new opportunities for exploitation.

Third, the use of Ghost NICs and other novel techniques indicates that threat actors are constantly innovating to evade detection and maintain persistent access to compromised networks. This evolution requires security professionals to continuously adapt their defensive strategies and monitoring capabilities.

Immediate Actions for Dell Customers

To protect against ongoing exploitation of CVE-2026-22769, Dell customers are strongly advised to follow the remediation guidance provided in the company’s security advisory. The recommended actions include upgrading to version 6.0.3.1 HF1 or applying the available remediations as soon as possible.

Organizations should also review their virtualized infrastructure for signs of compromise, paying particular attention to VMware ESXi servers and backup/recovery appliances that may have been targeted by this campaign.

Conclusion

The discovery of this Chinese state-backed campaign exploiting a Dell zero-day vulnerability represents a significant development in the ongoing cyber espionage landscape. With advanced techniques, custom malware, and strategic targeting of critical infrastructure, UNC6201 has demonstrated the capabilities and persistence that characterize modern APT operations.

As the cybersecurity community continues to monitor and respond to this threat, organizations must remain vigilant in securing their virtualized environments and implementing robust detection and response capabilities to counter these sophisticated adversaries.

Tags: Dell zero-day, CVE-2026-22769, UNC6201, Chinese state hackers, VMware ESXi, Ghost NICs, Grimbolt malware, Brickstorm backdoor, cyber espionage, APT groups, virtualized infrastructure, security vulnerability, Mandiant research, Google Threat Intelligence, Silk Typhoon, Warp Panda, Ivanti zero-days, Spawnant malware, Zipline malware, backup recovery systems, root-level persistence

Viral Sentences: “Chinese state hackers exploiting Dell zero-day in massive stealth campaign,” “Advanced Ghost NIC technique allows undetected network pivoting,” “New Grimbolt malware faster and harder to analyze than predecessors,” “Backup systems become prime target for sophisticated cyber espionage,” “Virtualization blind spots exploited for months without detection,” “Chinese APT groups show remarkable innovation in evasion techniques,” “Zero-day vulnerability in critical infrastructure raises alarm bells,” “Security researchers uncover novel attack methods targeting virtualized environments,” “State-sponsored hackers maintain persistent access through custom malware,” “Dell customers urged to patch immediately as exploitation continues,” “Ghost NICs represent new frontier in advanced persistent threat tactics,” “Backup and recovery systems emerge as critical security weak points,” “Chinese cyber operations demonstrate increasing sophistication and persistence,” “Virtual machine infrastructure becomes battleground for nation-state espionage”

,