China-Linked Hackers Exploited Dell Zero-Day Since 2024
▼ Summary
– A suspected China-linked cyberespionage group (UNC6201) has been exploiting a critical zero-day flaw in Dell’s RecoverPoint software since at least mid-2024.
– The attackers used stealthy backdoors (BRICKSTORM, GRIMBOLT) and a webshell (SLAYSTYLE) to maintain long-term access and employed novel tactics to pivot into VMware infrastructure.
– The initial compromise was facilitated by exploiting hard-coded default admin credentials in the Dell appliance’s Tomcat Manager to deploy malicious files.
– The GRIMBOLT backdoor is designed to be converted directly into machine code, making it harder to detect and suitable for running on small devices.
– Dell, Mandiant, and Google have provided remediation steps, indicators of compromise, and detection rules for the vulnerability and associated malware.
A sophisticated cyberespionage campaign, linked to a suspected China-based threat group, has been actively exploiting a critical security flaw in Dell backup software for over a year. New findings from Google’s Threat Intelligence Group and Mandiant reveal that attackers have been leveraging a zero-day vulnerability, tracked as CVE-2026-22769, in Dell’s RecoverPoint for Virtual Machines since at least mid-2024. This long-running operation allowed the group to implant stealthy backdoors and maintain persistent access within the networks of targeted organizations.
The threat actors, identified as UNC6201, deployed a suite of malicious tools to ensure their foothold remained hidden. These included the BRICKSTORM and GRIMBOLT backdoors, alongside a webshell known as SLAYSTYLE. Researchers noted that the group’s activities extended beyond simply compromising the Dell appliance. They employed advanced techniques to move laterally into VMware virtual environments, creating concealed “Ghost NICs” for stealthy network movement and utilizing iptables for a method called Single Packet Authorization.
While the exact initial access vector remains unclear, investigators discovered that the attackers likely exploited default administrative credentials present in the system. A configuration file on the compromised Dell appliances contained hard-coded login details for the Tomcat Manager service. Using these credentials, the attackers could authenticate, upload a malicious file, and ultimately execute commands with the highest level of system privileges, effectively taking full control of the device.
The BRICKSTORM backdoor is a known tool used by related Chinese threat clusters and is particularly effective on appliances where traditional security software is not installed. This allows the attackers to operate undetected for extended periods. The newer GRIMBOLT backdoor represents a technical evolution, compiled directly into machine code to run efficiently on limited-resource devices and evade detection by static analysis tools. The attackers cleverly modified a legitimate system script to ensure the backdoor was launched automatically.
It is uncertain whether the shift from BRICKSTORM to GRIMBOLT was a planned upgrade by the threat actors or a direct response to cybersecurity investigations. The research highlights the group’s adaptability and focus on maintaining long-term, covert access to victim networks.
For organizations using Dell RecoverPoint for Virtual Machines, immediate action is required. Dell has released official remediation guidance for the CVE-2026-22769 vulnerability. Furthermore, Mandiant and Google have published detailed indicators of compromise, forensic artifacts to identify a breach, and YARA rules to help security teams detect the GRIMBOLT backdoor and SLAYSTYLE webshell. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also updated its advisory on the BRICKSTORM backdoor with the latest threat information.
(Source: HelpNet Security)
