top of page
Search

Dell RecoverPoint Flaw Exploited by China-Linked Hackers to Deploy GrimBolt Malware

  • 4 minutes ago
  • 2 min read

Key Findings


  • China-linked hacking group UNC6201 has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since at least 2024.

  • The vulnerability is a hardcoded credential flaw that allows unauthenticated remote attackers to gain administrator-level access to affected systems.

  • Hackers have used this access to deploy a novel backdoor malware called GrimBolt, which is more advanced and harder to detect than the previously used Brickstone malware.

  • GrimBolt is designed to maintain persistent access, move laterally within networks, and spy on affected organizations.


Background


Dell RecoverPoint for Virtual Machines is a data protection and disaster recovery tool that helps businesses manage backups and recovery of their VMware virtual environments. As a critical infrastructure component, it has become a prime target for state-sponsored hacking groups.


Vulnerability Details


  • The vulnerability, CVE-2026-22769, is a critical flaw with a severity score of 10.0, allowing unauthenticated remote attackers to gain administrator-level access to affected systems.

  • The issue is caused by hardcoded credentials in the software, meaning the login details cannot be easily changed by users.

  • An attacker with knowledge of these credentials can log in to the management interface and execute commands with the highest level of privileges.


Malware Deployment


  • Once inside the network, the hackers deploy a novel backdoor called GrimBolt, which is more advanced and harder to detect than the previously used Brickstone malware.

  • GrimBolt is a C# backdoor compiled using native ahead-of-time compilation, making it difficult to reverse-engineer.

  • The malware is designed to maintain persistent access, move laterally within the network, and spy on the affected organizations.

  • In one instance, the hackers used a technique called Ghost NICs to create temporary virtual network ports and move through the network without leaving a trace.


Mitigation Efforts


  • Dell has released a security advisory (DSA-2026-079) urging customers to update to version 6.0.3.1 HF1 or newer as soon as possible.

  • If an immediate update is not possible, Dell recommends running a specific security script and ensuring the software is kept within a protected internal network.

  • Cybersecurity experts have expressed deep concern over the strategic nature of these attacks, noting that compromising resilience infrastructure is a calculated move to weaken a company's ability to recover from disruptions.


Sources


  • https://hackread.com/china-hackers-dell-recoverpoint-flaw-grimbolt-malware/

  • https://www.cybersecuritydive.com/news/zero-day-dell-recoverpoint-virtual-machines-exploited/812392/

Recent Posts

See All
APT Exploits Dell RecoverPoint Zero-Day Since 2024

Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page