A China-aligned espionage operation has been exploiting a previously unknown flaw in Dell's RecoverPoint for Virtual Machines since at least the middle of 2024, according to Google's Threat Intelligence Group (GTIG) and Mandiant. The bug, tracked as CVE-2026-22769, is a critical hardcoded-credential weakness that hands an unauthenticated attacker root-level access to the appliance. Google attributes the campaign to a newly designated cluster, UNC6201, which leveraged the access to move laterally, entrench itself, and deploy custom malware. Dell has shipped a fixed build and is pushing customers to patch immediately.

The vulnerability

CVE-2026-22769 affects RecoverPoint for Virtual Machines in every release before 6.0.3.1 HF1. The flaw stems from an embedded credential baked into the product: any remote attacker who knows that credential can authenticate against the underlying operating system without prior access, reach a shell, and establish root-level persistence. Dell rates the issue critical and treats an upgrade to the patched build as urgent.

Because the weakness sits in a backup-and-replication appliance — a class of device that typically can't run endpoint detection and response (EDR) agents — exploitation is hard to spot from the host side. Mandiant points out that this is exactly why state-sponsored crews keep targeting network and storage appliances: limited telemetry translates directly into longer dwell time.

References for the CVE:

Who is behind it

GTIG ties UNC6201 to UNC5221, a China-nexus group with a track record of remaining inside breached networks for hundreds of days at a time. The overlap suggests shared tooling or tradecraft between the two clusters. Across the RecoverPoint intrusions, the operators showed the patience typical of long-haul espionage rather than smash-and-grab activity.

Malware and tradecraft

On the compromised RecoverPoint systems, UNC6201 began with the BrickStorm backdoor. Starting in September 2025, the group migrated to a newer implant called GrimBolt — a C#-based backdoor that is AOT-compiled and UPX-packed, giving operators remote-shell access while making the sample considerably harder to reverse-engineer. The attackers also dropped a web shell named SlayStyle.

To frustrate incident responders, the operators spun up short-lived "ghost" network interfaces on the virtual machines, used them while active, and removed them afterward — deliberately erasing artifacts that forensics would normally rely on.

Detection and mitigation

  • Patch now. Upgrade RecoverPoint for Virtual Machines to 6.0.3.1 HF1 or later, which removes the hardcoded credential. Every release prior to that build is affected.
  • Reduce exposure. The most probable initial-access route is internet-facing edge appliances, so restrict management interfaces to trusted networks and remove direct internet exposure where possible.
  • Hunt for the published IOCs. GTIG and Mandiant have released indicators of compromise associated with BrickStorm, GrimBolt, and SlayStyle — fold these into your detection stack.
  • Watch for transient interfaces. Since the actor created and deleted "ghost" network interfaces, review hypervisor and VM configuration-change logs for short-lived adapters that appear and vanish around suspicious activity.
  • Compensate for the EDR gap. Appliances that can't host endpoint agents should be monitored at the network layer — inspect outbound connections from the RecoverPoint VMs for unexpected command-and-control traffic.

Technical background

Hardcoded-credential bugs like CVE-2026-22769 are a recurring weakness in embedded and appliance software. A static username/password (or key) is shipped inside the firmware or application image so internal components can authenticate to one another. The problem is that the same secret is present on every deployed unit, so once it is extracted from one device — or one firmware image — it works everywhere. Unlike a password an admin can rotate, the credential is fixed until the vendor releases a patched build, which is why the only real fix is upgrading.

Attackers typically recover such secrets by unpacking firmware or binaries and searching for embedded strings, for example:


# Generic illustration only — not specific to this incident
strings -n 8 appliance_firmware.bin | grep -iE 'pass|secret|cred|token'

Once a working credential is found, the appliance's own service exposes a path to the host OS, and from there the operator installs a backdoor for persistence. Packing techniques like UPX and ahead-of-time (AOT) compilation — both used by GrimBolt — are common evasion measures: they collapse readable symbols and strings into a compressed, native blob, slowing static analysis and signature-based detection.