Critical Dell Zero-Day Exploited by Chinese Hackers to Deploy Advanced Malware
A critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines, identified as CVE-2026-22769, has been actively exploited by Chinese state-sponsored hackers since mid-2024. This flaw, carrying a maximum CVSSv3.1 score of 10.0, has enabled attackers to infiltrate networks, maintain persistent access, and deploy sophisticated malware strains, including SLAYSTYLE, BRICKSTORM, and a newly discovered backdoor named GRIMBOLT.
Background and Attribution
The exploitation campaign is attributed to UNC6201, a threat cluster with ties to the People’s Republic of China, sharing significant overlaps with the group publicly known as Silk Typhoon (UNC5221). Mandiant and the Google Threat Intelligence Group (GTIG) have observed that these attackers have leveraged the vulnerability to move laterally across networks and establish long-term footholds within compromised environments.
Technical Details of the Vulnerability
The root cause of CVE-2026-22769 lies in the configuration of the Apache Tomcat Manager within Dell RecoverPoint appliances. Security researchers discovered hardcoded default credentials for the ‘admin’ user in the `/home/kos/tomcat9/tomcat-users.xml` file. This oversight allows unauthenticated remote attackers to access the Tomcat Manager, a component responsible for deploying software updates and performing management tasks.
Once authenticated, attackers can exploit the `/manager/text/deploy` endpoint to upload malicious Web Application Archive (WAR) files. In observed attacks, this method was used to deploy the SLAYSTYLE web shell, granting root-level command execution capabilities on the compromised appliance.
Evolution of Malware Deployment
A notable development in this campaign is the transition from the BRICKSTORM backdoor to a new malware family dubbed GRIMBOLT. First observed in September 2025, this shift indicates a maturation in the attackers’ tradecraft, aiming to evade detection and optimize performance on resource-constrained edge devices.
Unlike traditional .NET malware that relies on Just-In-Time (JIT) compilation, GRIMBOLT is written in C# and compiled using Native Ahead-of-Time (AOT) compilation. This approach converts the code directly into machine-native code during the build process, removing Common Intermediate Language (CIL) metadata that security tools typically scan. Additionally, the malware is packed with UPX to complicate static analysis.
To maintain persistence, UNC6201 modifies the legitimate `convert_hosts.sh` script, ensuring the backdoor executes automatically at system boot via `rc.local`.
Advanced Networking Tactics
Beyond malware deployment, UNC6201 has demonstrated advanced networking tactics to navigate compromised environments stealthily. Analysts observed the creation of Ghost NICs, temporary network ports configured on existing virtual machines within ESXi servers. These hidden interfaces allow attackers to pivot silently between internal networks and Software-as-a-Service (SaaS) infrastructure without alerting standard network monitoring tools.
Furthermore, the attackers employ a stealthy traffic management technique known as Single Packet Authorization (SPA) using `iptables`. Forensic analysis of Systemd Journals revealed that the attackers monitor incoming traffic on port 443 for a specific hexadecimal string. When this magic packet is detected, the source IP address is added to an allowlist. Subsequent connections from that IP to port 10443 are then accepted, while traffic from non-approved IPs is silently redirected. This technique effectively hides the command and control (C2) channel from casual observation and automated scanning.
Implications and Recommendations
The exploitation of CVE-2026-22769 underscores the critical importance of securing edge appliances and promptly addressing known vulnerabilities. Organizations utilizing Dell RecoverPoint for Virtual Machines should take immediate action to mitigate this threat.
Mitigation Steps:
1. Update and Patch: Dell has released patches addressing CVE-2026-22769. Organizations should apply these updates without delay to close the security gap.
2. Change Default Credentials: Replace any default or hardcoded credentials with strong, unique passwords to prevent unauthorized access.
3. Monitor Network Traffic: Implement robust network monitoring to detect unusual activities, such as the creation of unauthorized network interfaces or unexpected traffic patterns.
4. Conduct Regular Security Audits: Regularly review and audit system configurations and access controls to identify and remediate potential vulnerabilities.
5. Educate and Train Staff: Ensure that IT and security personnel are aware of the latest threats and best practices for securing network appliances.
By taking these proactive measures, organizations can enhance their security posture and reduce the risk of exploitation by sophisticated threat actors like UNC6201.
