Chinese APT Group Exploits Dell Zero-Day for Two Years
Chinese APT Group Exploits Dell Zero-Day for Two Years π¨
Dell has released a patch for a critical zero-day vulnerability in its RecoverPoint for Virtual Machines product. This vulnerability, identified as CVE-2026-22769, has been silently exploited by a Chinese APT group since 2024. With a maximum CVSS score of 10.0, this hardcoded credential bug allows an unauthenticated attacker with knowledge of the credential to easily gain access to the underlying OS and maintain root-level persistence.
Mandiant reported on February 18 that the exploitation of CVE-2026-22769 dates back to mid-2024, although there may have been earlier activity. They revealed that UNC6201, a suspected PRC-nexus threat cluster, has been using this flaw to move laterally, maintain persistent access, and deploy various malware, including Slaystyle, Brickstorm, and a novel backdoor known as Grimbolt.
The new backdoor is reportedly written in C# and compiled using native ahead-of-time (AOT) techniques to evade analysis and enhance performance. Unlike traditional .NET software that relies on just-in-time (JIT) compilation, Native AOT-compiled binaries are converted directly to machine-native code during compilation, improving performance on resource-constrained appliances and complicating static analysis.
Mandiant also observed UNC6201 employing novel tactics to target VMware virtual infrastructure, including the creation of new temporary network ports, or βghost NICs,β on VMs running on an ESXi server. This allowed the threat actor to pivot to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations. Additionally, they revealed the use of iptables for single packet authorization (SPA).
For more details, check out the full article here: Read full article