Bold alert: China-linked operators have been quietly weaponizing a Dell vulnerability since mid-2024 to seize long-term footholds in compromised networks. Here's what happened, why it matters, and how to think about it.
But first, the core thread: attackers tied to China exploited a critical, hardcoded credential flaw in Dell RecoverPoint for Virtual Machines as a zero-day, aiming to backdoor machines for persistent access. This isn’t a one-off incident—it fits into a broader, ongoing effort detected by Google’s Mandiant incident response team and later corroborated by US government alerts.
What changed hands and how it worked
- Vulnerability and weaponization: The flaw, tracked as CVE-2026-22769, allowed an unauthenticated actor with knowledge of a hardcoded credential to gain unauthorized access to underlying systems. Dell acknowledged active exploitation and urged customers to apply the remediation outlined in their advisory. Dell noted that some attackers had already found and used the bug before a fix was released.
- Malware family evolution: Early iterations of the backdoor were written in Go, then Rust. By September 2025, the operators had replaced those with Grimbolt, a new backdoor implemented in C# using ahead-of-time (AOT) compilation to produce native machine code, and packed with UPX to complicate static analysis. Grimbolt preserves the remote-shell capabilities and the same command-and-control (C2) infrastructure as Brickstorm, the earlier strain.
- Backdoor persistence and deployment: The intruders achieved persistence by altering a legitimate startup script on the Dell appliance—convert_hosts.sh—to load the backdoor at boot via rc.local. Once established, they moved laterally, maintained access, and deployed multiple malware components, including Slaystyle, Brickstorm, and Grimbolt.
- Stealthy network manipulation: The attackers introduced “Ghost NICs”—hidden, temporary network interfaces on VMware ESXi hosts—to facilitate silent network pivoting within compromised environments. This technique helps attackers reach additional assets without triggering obvious external connections.
- Target scope and indicators: Analysts observed repeated web activity toward vulnerable appliances using default credentials (admin) directed at installed Apache Tomcat managers. Dell RecoverPoint for Virtual Machines relies on Tomcat as its web server, which the attackers abused to deploy a malicious WAR file containing a Slaystyle web shell. While public estimates of affected organizations are modest, security firms caution that the full scope remains uncertain.
Threat actors and attribution
- The Cyrus-like cluster UNC6201 is identified as a suspected PRC-linked group exploiting the Dell CVE-2026-22769 to move laterally, maintain persistence, and deploy a blend of malware families (Slaystyle, Brickstorm, Grimbolt). Google Threat Intelligence researchers emphasize that this cluster has operated since at least mid-2024, adapting tools over time to evade detection.
- The campaign’s evolution reflects a trend: state-sponsored groups embedding themselves within networks for long-term access, enabling disruption or potential sabotage whenever they choose. This is not merely about quick exfiltration; it’s about sustained footholds that survive routine defenses.
What organizations should consider
- If your environment contains exposed Dell RecoverPoint for Virtual Machines deployments, treat this as a high-priority remediation target. Dell’s advisory recommends applying the available fixes immediately, since exploitation existed even before the official patch.
- Look for indicators of a multi-stage intrusion: unusual Windows/Linux process trees tied to shell scripts, unexpected web shell activity on Tomcat managers, and signs of lateral movement or newly created Ghost NICs within VMware ESXi hosts.
- Implement the recommended mitigations from Dell and enhance monitoring around VPNs, remote access, and VM networking configurations. Proactively scan for the presence of backdoors like Brickstorm and Grimbolt, and review boot-time scripts for unauthorized modifications.
Why this matters in broader terms
- The combination of a zero-day with a hardcoded credential and stealthy network pivoting demonstrates a mature, long-horizon operation. It’s a reminder that supply-chain or vendor-side flaws can become weaponized deeply inside enterprise environments, enabling persistent access that’s hard to eradicate without comprehensive containment and remediation.
- The shift to Grimbolt shows attackers optimizing for stealth and performance: native hardware-grade execution with packing to defeat static checks, while preserving essential capabilities such as remote control and C2 communication. It’s a signal to security teams that detection strategies must evolve beyond signature-based alerts to include behavior-based detection and integrity monitoring of startup scripts and VM networking components.
A provocative takeaway to ponder
- If a single vulnerability can unlock a multi-year backdoor with evolving tooling, should organizations rethink how they segment, monitor, and patch critical infrastructure? And how aggressively should network boundaries be reexamined when virtualization platforms and management consoles are involved? What balance should be struck between rapid patching and maintaining business continuity when remediation steps might temporarily disrupt essential services?
Bottom line questions for discussion
- Are your defense-in-depth controls sufficient to detect and disrupt such staged intrusions, especially in VM environments with open management interfaces?
- Do you believe “ghost NIC” techniques signify a broader, repeatable playbook that modern attackers will reuse against other virtualization platforms?
- How aggressively should enterprises pursue legacy or deprecated management tools in order to reduce attack surfaces, even if that means short-term operational changes?
If you’d like, I can tailor a quick, practical checklist for your VMware and Dell RecoverPoint environments to help you start auditing for these indicators right away.
