Chinese APT Exploits Dell Zero-Day Flaw to Gain Persistent VMware Access

Chinese state-sponsored hackers have quietly leveraged a hard-coded credential flaw in Dell RecoverPoint for Virtual Machines for nearly two years, weaponizing it as a powerful zero-day entry point. The vulnerability grants attackers deep, persistent access to compromised environments, which enables long-term lateral movement and covert control over virtualized infrastructure.

RecoverPoint for Virtual Machines (RP4VM) is Dell’s data‑protection and disaster‑recovery solution designed specifically for VMware environments. It enables organizations to replicate, back up, and restore virtual machines with minimal downtime. This service operates as an appliance that manages VM‑level replication and recovery, and offers continuous data protection so users can roll workloads back to specific points in time after failures or cyber incidents. RP4VM helps maintain business continuity and resilience across virtualized systems by integrating directly into VMware infrastructure.

How was the Dell hard-coded credential flaw abused?

Google’s Mandiant published an alert about the Dell zero-day vulnerability (tracked as CVE-2026-22769) on February 17, 2026. Chinese hackers (also known as UNC6201) have exploited this flaw since mid-2024 to deploy malware (including Slaystyle, Brickstorm) and a separate backdoor called Grimbolt.

“Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT,” the Google Threat Intelligence Group explained.

Grimbolt is a C#‑based backdoor compiled with native ahead‑of‑time (AOT) techniques. This means its code is converted into machine‑level instructions before execution, and further compressed with the UPX packer to make the resulting binaries smaller and harder for static analysis tools to inspect. These design choices help the malware operate efficiently on limited‑resource appliances while reducing the likelihood of detection. However, Grimbolt still mirrors its predecessor Brickstorm by offering remote shell access and relying on the same command‑and‑control infrastructure.

Dell’s RecoverPoint for Virtual Machines relies on Apache Tomcat for its web interface, and researchers found that attackers leveraged a hardcoded Tomcat credential to upload a malicious WAR package that deployed the SLAYSTYLE web shell; after gaining that foothold on the Dell appliance, UNC6201 pivoted inside VMware environments by spinning up covert “ghost NICs” to stealthily traverse deeper into victims’ infrastructure. Ghost NICs are short‑lived, hidden virtual network interfaces on ESXi‑hosted VMs.

Dell’s patch guidance and remediation steps

Dell advises affected organizations to upgrade to the 6.0.3.1 HF1 version of RecoverPoint for Virtual Machines. Administrators should run a remediation script as detailed in the security advisory. CISA has given federal agencies just three days to patch this actively exploited Dell bug.

Lastly, it’s also recommended to improve detection by looking for indicators tied to UNC6201’s tools (such as GRIMBOLT, BRICKSTORM, and related network artifacts) and tightening security around edge appliances. Moreover, administrators must use stronger network segmentation, enhanced monitoring for unusual VMware activity, and adopt the actionable detection and hardening steps detailed by Mandiant to reduce exposure to similar intrusion techniques.