A Two-Year Campaign of Undetected Cyber Espionage
For nearly two full years, a critical flaw in Dell’s enterprise backup software served as a wide-open door for a sophisticated Chinese state-sponsored hacking group, allowing them to conduct cyber espionage completely undetected within target networks. The group, tracked by security researchers as UNC6201, skillfully leveraged a zero-day vulnerability in Dell RecoverPoint for Virtual Machines to mount a prolonged campaign. This particular vulnerability, identified as CVE-2026-22769, carries the maximum severity score of 10.0, reflecting its critical nature. The extended operation underscores the significant danger posed by Advanced Persistent Threat (APT) actors who patiently exploit undiscovered weaknesses in trusted technology. The following timeline deconstructs this multi-year operation, tracing the hackers’ methods from their initial infiltration to the deployment of advanced, custom malware and highlighting the immense challenge of securing complex enterprise systems against well-resourced adversaries.
Chronology of a Persistent Threat
Early 2022 – Initial Infiltration via Zero-Day Exploit
The covert campaign ignited when UNC6201 first exploited the hardcoded credential flaw within Dell RecoverPoint. This vulnerability was a golden ticket, granting the attackers unauthenticated, root-level access to the system. With this powerful entry point, they established a strong and persistent foothold deep inside target networks. During these initial stages, the group was methodical, deploying malware payloads such as the Slaystyle and Brickstorm backdoors. These tools were not for immediate disruption but served as the foundation for a long-term intelligence-gathering operation, enabling the attackers to perform reconnaissance and move laterally across the compromised infrastructure.
September 2023 – Tactical Evolution with the Grimbolt Backdoor
A year and a half into their campaign, UNC6201 demonstrated its adaptability and commitment by significantly upgrading its arsenal. The group retired the older Brickstorm backdoor and replaced it with Grimbolt, a far more sophisticated and evasive piece of malware. Written in the C# programming language and compiled using native ahead-of-time (AOT) techniques, Grimbolt was engineered specifically to frustrate security analysis. The AOT compilation process strips away standard metadata that defenders rely on for reverse-engineering, making the tool exceptionally difficult to dissect. This new backdoor provided the same remote shell capabilities and connected to the same command-and-control infrastructure as its predecessor, thereby ensuring operational continuity while dramatically enhancing stealth.
Throughout the Campaign – Advanced Evasion and Lateral Movement
UNC6201 consistently displayed a high degree of technical skill by employing novel tactics, techniques, and procedures (TTPs) to maintain their clandestine access and pivot to other high-value systems. The group showed particular expertise in manipulating VMware virtual infrastructure. One of their clever techniques involved creating temporary “ghost NICs” (network interface controllers) on virtual machines. This allowed them to access other internal network segments and even cloud-based SaaS environments without triggering common security alerts. To further conceal their communications, the hackers configured iptables to implement single packet authorization (SPA), a method that renders command-and-control servers invisible to standard network scans.
Early 2024 – Discovery and Remediation
After operating in the shadows for approximately two years, the extensive espionage campaign was finally uncovered by security researchers at Mandiant. This discovery triggered a rapid response from Dell, which developed and released a patch to remediate the critical flaw in version 6.0.3.1 HF1 of the software. The public disclosure of the vulnerability and the associated threat actor activity officially brought its zero-day status to an end. This forced the hacking group to alter its tactics and, crucially, provided defenders with the actionable intelligence needed to hunt for similar intrusions within their own environments.
Key Takeaways from the UNC6201 Campaign
The most significant turning point in this two-year campaign is UNC6201’s calculated shift to the Grimbolt backdoor. This move serves as a clear indicator of the group’s investment in long-term, low-and-slow operations, as they dedicated resources to developing custom tools designed explicitly for evasion. An overarching pattern evident throughout the operation is the strategic targeting of specialized, trusted enterprise software rather than more common user-facing applications. By compromising a data recovery tool, the attackers gained deep and privileged access to a system’s core. This incident exposes a critical gap in supply chain security, where a single undiscovered flaw in a widely deployed product can provide adversaries with a durable beachhead across numerous organizations for years.
Expert Analysis and the Broader Threat Landscape
Further analysis reveals the high level of sophistication in UNC6201’s TTPs. The use of “ghost NICs” and single packet authorization is not commonplace and points to a well-resourced group with deep technical knowledge of network and virtualization platforms. According to Mandiant, there is an operational overlap between UNC6201 and another actor, UNC5221, which has been linked to zero-day attacks on government agencies using Ivanti products. This connection suggests these campaigns may be part of a broader, coordinated effort by a single state sponsor. The incident serves as a crucial reminder that all enterprise software, not just mainstream operating systems, is a potential target, and it dispels the misconception that security through obscurity is a viable defense strategy for specialized tools.