Key Findings

• Chinese state-sponsored hackers, suspected to be part of the UNC6201 group, have been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024.

• The vulnerability, CVE-2026-22769, has a CVSS score of 10/10 and allows unauthenticated remote attackers to gain full system access with root-level persistence.

• The hackers have been using a hardcoded administrator password, pulled from Apache Tomcat, to trigger the vulnerability for at least 18 months.

• The campaign is an escalation from the group's previous use of the Brickstorm malware, which has now been replaced with a more advanced version called Grimbolt.

• The full scale of the campaign is unknown, and researchers believe that a significant portion of the group's activities remain undetected.

Background

The Chinese threat group UNC6201, which overlaps with the previously known UNC5221 (also called Silk Typhoon), has been burrowing into critical infrastructure and government agency networks undetected since at least 2022. The group's activities have now escalated with the exploitation of a zero-day vulnerability in Dell RecoverPoint for Virtual Machines.

Vulnerability and Exploitation

The zero-day vulnerability, CVE-2026-22769, is a result of a hardcoded administrator password in Dell RecoverPoint for Virtual Machines, which was pulled from Apache Tomcat. This vulnerability carries a 10/10 CVSS rating, allowing unauthenticated remote attackers to gain full system access with root-level persistence.

The Chinese threat group has been exploiting this vulnerability for at least 18 months, undetected by security researchers and Dell's own security teams. The group's ability to maintain a long-term presence in the affected networks highlights their tenacity and advanced capabilities.

Malware Evolution

The threat group initially used the Brickstorm malware to burrow into the targeted networks. However, by September 2025, the attackers had replaced Brickstorm with a more advanced version called Grimbolt, which is harder to detect and reverse-engineer.

This evolution of malware demonstrates the group's adaptability and technical sophistication, as they continuously develop new tools to evade detection and maintain their presence in the compromised networks.

Scope and Impact

The full scale of the campaign is still unknown, as researchers believe that a significant portion of the group's activities remains undetected. While Google and Mandiant have identified a few dozen U.S. organizations as being impacted by the Brickstorm malware, the researchers suspect that additional organizations may have been compromised without their knowledge.

The campaign's long-term nature and the group's ability to maintain persistence in the affected networks make it a significant threat to national security, as the attackers can potentially carry out long-term espionage, disruptions, and even potential sabotage.

Remediation and Response

Dell Technologies has disclosed and released a patch for the vulnerability on Tuesday. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security have also released new analysis on the Brickstorm malware to help potential victims detect and mitigate the threat.

However, the researchers warn that the threat group has already moved on to the more advanced Grimbolt malware, and may be using undiscovered zero-days and other malware, making it challenging for defenders to keep up with the evolving tactics and techniques employed by the group.

Sources

• https://cyberscoop.com/china-brickstorm-grimbolt-dell-zero-day/

• https://x.com/arnavsharma/status/2023920002328322545