Critical Dell Zero-Day Under Active Exploitation by Chinese-Linked Hackers; New Malware GRIMBOLT Emerges

Mandiant and Google Threat Intelligence Group (GTIG) have confirmed that a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769 with a CVSSv3.1 score of 10.0, is being actively exploited by the suspected PRC-nexus threat cluster UNC6201. The exploitation has been ongoing since at least mid-2024, enabling lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new backdoor dubbed GRIMBOLT.

“This vulnerability represents a worst-case scenario—remotely exploitable, no authentication required, and with the highest possible severity score,” said Peter Ukhanov, senior threat analyst at Mandiant. “UNC6201 has been leveraging it to compromise virtualized environments with alarming efficiency.”

The initial access vector remains unconfirmed, but UNC6201 is known to target edge appliances such as VPN concentrators. Mandiant noted significant overlaps with the actor publicly reported as Silk Typhoon (UNC5221), though GTIG does not currently consider them the same cluster.

GRIMBOLT: A New Tool in the Arsenal

In September 2025, Mandiant observed a campaign where older BRICKSTORM binaries were replaced with GRIMBOLT on compromised Dell RecoverPoint appliances. GRIMBOLT is a C#-written backdoor compiled using native ahead-of-time (AOT) compilation—a technique that complicates static analysis and improves performance on resource-constrained devices. It is packed with UPX and provides a remote shell capability using the same command-and-control infrastructure as BRICKSTORM.

“The shift to GRIMBOLT marks a deliberate evolution in tradecraft,” said Daniel Sislo, reverse engineer at Mandiant. “By moving to AOT-compiled code, the threat actor has made detection and analysis significantly harder for defenders.”

It remains unclear whether this replacement was part of a pre-planned lifecycle update or a reaction to incident response efforts by Mandiant and industry partners.

New Tactics: Ghost NICs and Single Packet Authorization

Beyond appliance exploitation, Mandiant identified novel techniques used by UNC6201 to pivot into VMware virtual infrastructure. Attackers created “Ghost NICs”—hidden virtual network interfaces—for stealthy network pivoting, and employed iptables rules for Single Packet Authorization (SPA) to cloak access to compromised systems.

“These are not common techniques in cyber espionage,” commented John Scarbrough of GTIG. “The use of Ghost NICs shows a deep understanding of virtualization internals and a dedication to staying undetected.”

Background

UNC6201 is a suspected PRC-nexus threat cluster first documented by Mandiant in connection with BRICKSTORM espionage operations. The group has a history of targeting critical infrastructure and technology companies. Notably, UNC6201 shares behavioral patterns with UNC5221 (Silk Typhoon), but GTIG maintains that the two clusters are distinct until firmer evidence emerges.

Mandiant’s analysis builds on previous research into BRICKSTORM—a modular backdoor used for data exfiltration. The introduction of GRIMBOLT represents a significant departure from past tooling, suggesting the group is actively investing in its capabilities to evade modern defenses.

Remediation and Detection

Dell has released security updates for CVE-2026-22769. Customers are urged to apply patches immediately. Mandiant provided actionable hardening guidance, including network segmentation, strict access controls, and monitoring for unauthorized SPA traffic or anomalous NIC creation.

“Organizations using Dell RecoverPoint for Virtual Machines must treat this as an emergency,” said Nick Harbour of Mandiant. “Given the CVSS 10.0 rating and active exploitation, every hour without patching increases risk of compromise.”

What This Means

The exploitation of CVE-2026-22769 underscores the growing threat to virtualized infrastructure. Attackers are increasingly targeting management and recovery appliances, which often have privileged network access yet are less monitored than production servers. The appearance of GRIMBOLT, with its AOT compilation and stealthy features, signals that state-sponsored groups are continuously evolving to bypass detection.

For defenders, this campaign highlights the need for proactive threat hunting, especially in VMware environments. The integration of Ghost NICs and SPA into attack chains raises the bar for visibility. Organizations should assume that such advanced tactics will become more common.