China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection

Dell patches a major vulnerability

China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. Google’s Mandiant incident response team discovered the campaign while investigating compromised environments. The attackers used the flaw to backdoor infected machines for long-term access to sensitive data.

Dell disclosed and patched the critical flaw, tracked as CVE-2026-22769, on Tuesday. The company confirmed that hackers exploited the bug before a fix became available. Dell representatives urged customers to implement remediations immediately to prevent further unauthorized access.

The campaign targets Dell RecoverPoint, a software suite that provides continuous data protection and disaster recovery for virtualized environments. Because these systems handle backup and replication, they often possess high-level privileges across an organization's entire server infrastructure. This makes them a primary target for state-sponsored actors seeking persistent visibility into corporate networks.

Attackers used hardcoded system passwords

The vulnerability stems from a hardcoded password within the Apache Tomcat configuration used by Dell RecoverPoint. Attackers discovered this static credential and used it to log into the Apache Tomcat Manager as an administrator. This access allowed the intruders to upload malicious files directly to the server.

Security analysts observed multiple web requests to vulnerable appliances using the "admin" username. Once logged in, the attackers deployed a WAR file containing a web shell known as Slaystyle. This web shell provides a persistent interface for executing commands on the underlying operating system.

UNC6201, a threat cluster with suspected links to the Chinese government, led the exploitation efforts. Mandiant identifies this group as a sophisticated actor focused on lateral movement and maintaining stealth. The group uses the following tools during their operations:

• Slaystyle: A web shell used for initial command execution and file management.
• Brickstorm: A backdoor that facilitates remote shell access and command-and-control communication.
• Grimbolt: A novel backdoor designed to replace older malware and evade detection.
• Ghost NICs: Temporary, hidden network interfaces used to pivot through virtual infrastructure.

By exploiting the hardcoded credential, an unauthenticated remote attacker gains root-level persistence. This allows the actor to survive system reboots and maintain control even after traditional security software attempts to clear the infection. The attackers modified a legitimate shell script named convert_hosts.sh to ensure their malware launched every time the appliance started.

New malware bypasses security scans

The attackers recently upgraded their toolkit to include a new backdoor called Grimbolt. While earlier versions of the Brickstorm backdoor used the Go and Rust programming languages, the group transitioned to C# for Grimbolt in September 2025. This shift suggests a deliberate effort to bypass security tools that have grown accustomed to detecting Go-based threats.

Grimbolt utilizes native ahead-of-time (AOT) compilation to translate code into machine-readable format before the application runs. This technique improves performance on resource-constrained appliances and makes static analysis significantly more difficult for defenders. Security software often struggles to parse AOT-compiled binaries compared to standard interpreted or JIT-compiled code.

The malware also uses UPX, an executable packer that compresses the binary files. This compression adds another layer of obfuscation, hiding the malware's true intent from basic file scanners. Despite these changes in delivery and compilation, Grimbolt retains the same remote shell capabilities as its predecessor, Brickstorm.

Mandiant researchers noted that the attackers often replaced older Brickstorm binaries with Grimbolt once they established a foothold. This behavior indicates a maintenance phase where the attackers actively update their presence to stay ahead of modern endpoint detection and response (EDR) platforms. The group uses the same command-and-control infrastructure for both malware families, allowing for a seamless transition between tools.

Hackers created hidden network paths

After gaining access to the Dell appliances, UNC6201 moved deeper into the VMware virtual infrastructure. The attackers created "ghost NICs" on existing virtual machines running on ESXi servers. These are hidden, temporary network interface cards that do not appear in standard management consoles.

These ghost NICs allow the attackers to pivot laterally through a victim's network without triggering alerts in traditional network monitoring tools. By operating at the hypervisor level, the intruders can intercept traffic or access isolated network segments that are otherwise unreachable. This technique demonstrates a high level of familiarity with VMware internals and virtualized networking protocols.

The use of ghost NICs complicates the recovery process for IT teams. Simply removing the malware from the Dell RecoverPoint appliance may not be enough if the attackers have already established secondary paths through the virtual environment. Mandiant recommends that organizations check their ESXi configurations for unauthorized network interfaces or unusual vSwitch modifications.

The discovery of this zero-day follows a pattern of Chinese state-sponsored actors targeting edge devices and infrastructure software. These systems often lack the same level of telemetry and logging as standard workstations, providing a "blind spot" for security teams. The attackers prioritize these targets to enable long-term access and potential sabotage of critical systems.

Federal agencies warn of persistence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and CrowdStrike previously warned about Chinese groups targeting VMware environments. Federal officials stated that these actors are not merely looking for data; they are embedding themselves into the core of American networks. This level of access allows for disruption during periods of geopolitical tension.

Mandiant currently tracks less than a dozen organizations affected by the CVE-2026-22769 exploit. However, the full scale of the campaign remains unknown. Security teams recommend that any organization previously targeted by Brickstorm malware should immediately scan their environment for signs of Grimbolt.

The technical details of the campaign highlight several key indicators for defenders to monitor:

• Unauthorized modifications to the /etc/rc.local file or the convert_hosts.sh script.
• Unexpected Apache Tomcat Manager logs showing successful logins from external or unusual internal IP addresses.
• Presence of UPX-compressed C# binaries on Linux-based virtual appliances.
• Discrepancies between the number of NICs reported by the guest operating system and the VMware vCenter console.

Dell has released security updates for all affected versions of RecoverPoint for Virtual Machines. The company maintains that the exploitation is "limited" but encourages a rapid patching cycle. As state-sponsored groups continue to exploit hardcoded credentials and edge vulnerabilities, the security of infrastructure-level software remains a critical point of failure for global enterprises.