Chinese Hackers Exploited Dell Zero-Day Flaw for Two Years

Article Highlights
Off On

A Two-Year Campaign of Undetected Cyber Espionage

For nearly two full years, a critical flaw in Dell’s enterprise backup software served as a wide-open door for a sophisticated Chinese state-sponsored hacking group, allowing them to conduct cyber espionage completely undetected within target networks. The group, tracked by security researchers as UNC6201, skillfully leveraged a zero-day vulnerability in Dell RecoverPoint for Virtual Machines to mount a prolonged campaign. This particular vulnerability, identified as CVE-2026-22769, carries the maximum severity score of 10.0, reflecting its critical nature. The extended operation underscores the significant danger posed by Advanced Persistent Threat (APT) actors who patiently exploit undiscovered weaknesses in trusted technology. The following timeline deconstructs this multi-year operation, tracing the hackers’ methods from their initial infiltration to the deployment of advanced, custom malware and highlighting the immense challenge of securing complex enterprise systems against well-resourced adversaries.

Chronology of a Persistent Threat

Early 2022 – Initial Infiltration via Zero-Day Exploit

The covert campaign ignited when UNC6201 first exploited the hardcoded credential flaw within Dell RecoverPoint. This vulnerability was a golden ticket, granting the attackers unauthenticated, root-level access to the system. With this powerful entry point, they established a strong and persistent foothold deep inside target networks. During these initial stages, the group was methodical, deploying malware payloads such as the Slaystyle and Brickstorm backdoors. These tools were not for immediate disruption but served as the foundation for a long-term intelligence-gathering operation, enabling the attackers to perform reconnaissance and move laterally across the compromised infrastructure.

September 2023 – Tactical Evolution with the Grimbolt Backdoor

A year and a half into their campaign, UNC6201 demonstrated its adaptability and commitment by significantly upgrading its arsenal. The group retired the older Brickstorm backdoor and replaced it with Grimbolt, a far more sophisticated and evasive piece of malware. Written in the C# programming language and compiled using native ahead-of-time (AOT) techniques, Grimbolt was engineered specifically to frustrate security analysis. The AOT compilation process strips away standard metadata that defenders rely on for reverse-engineering, making the tool exceptionally difficult to dissect. This new backdoor provided the same remote shell capabilities and connected to the same command-and-control infrastructure as its predecessor, thereby ensuring operational continuity while dramatically enhancing stealth.

Throughout the Campaign – Advanced Evasion and Lateral Movement

UNC6201 consistently displayed a high degree of technical skill by employing novel tactics, techniques, and procedures (TTPs) to maintain their clandestine access and pivot to other high-value systems. The group showed particular expertise in manipulating VMware virtual infrastructure. One of their clever techniques involved creating temporary “ghost NICs” (network interface controllers) on virtual machines. This allowed them to access other internal network segments and even cloud-based SaaS environments without triggering common security alerts. To further conceal their communications, the hackers configured iptables to implement single packet authorization (SPA), a method that renders command-and-control servers invisible to standard network scans.

Early 2024 – Discovery and Remediation

After operating in the shadows for approximately two years, the extensive espionage campaign was finally uncovered by security researchers at Mandiant. This discovery triggered a rapid response from Dell, which developed and released a patch to remediate the critical flaw in version 6.0.3.1 HF1 of the software. The public disclosure of the vulnerability and the associated threat actor activity officially brought its zero-day status to an end. This forced the hacking group to alter its tactics and, crucially, provided defenders with the actionable intelligence needed to hunt for similar intrusions within their own environments.

Key Takeaways from the UNC6201 Campaign

The most significant turning point in this two-year campaign is UNC6201’s calculated shift to the Grimbolt backdoor. This move serves as a clear indicator of the group’s investment in long-term, low-and-slow operations, as they dedicated resources to developing custom tools designed explicitly for evasion. An overarching pattern evident throughout the operation is the strategic targeting of specialized, trusted enterprise software rather than more common user-facing applications. By compromising a data recovery tool, the attackers gained deep and privileged access to a system’s core. This incident exposes a critical gap in supply chain security, where a single undiscovered flaw in a widely deployed product can provide adversaries with a durable beachhead across numerous organizations for years.

Expert Analysis and the Broader Threat Landscape

Further analysis reveals the high level of sophistication in UNC6201’s TTPs. The use of “ghost NICs” and single packet authorization is not commonplace and points to a well-resourced group with deep technical knowledge of network and virtualization platforms. According to Mandiant, there is an operational overlap between UNC6201 and another actor, UNC5221, which has been linked to zero-day attacks on government agencies using Ivanti products. This connection suggests these campaigns may be part of a broader, coordinated effort by a single state sponsor. The incident serves as a crucial reminder that all enterprise software, not just mainstream operating systems, is a potential target, and it dispels the misconception that security through obscurity is a viable defense strategy for specialized tools.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable