A China-linked cyberespionage crew has been quietly abusing a zero-day in Dell's RecoverPoint for Virtual Machines since at least mid-2024, according to Google's Threat Intelligence Group (GTIG) and Mandiant. The activity is attributed to a newly tracked actor, UNC6201, which used the flaw to move laterally, establish persistence, and drop malware inside victim environments.

The vulnerability, CVE-2026-22769, is a hardcoded-credential weakness in RecoverPoint for Virtual Machines releases prior to 6.0.3.1 HF1. Dell rates it critical: an unauthenticated remote attacker who knows the embedded credential can reach the underlying operating system and gain root-level persistence. Dell urges customers to upgrade to the fixed build without delay.

GTIG says UNC6201 shares links with UNC5221, a China-nexus group known for lingering in compromised networks for hundreds of days. On the RecoverPoint systems the attackers initially relied on the BrickStorm backdoor, then from September 2025 began swapping it for GrimBolt — a C#-based, AOT-compiled and UPX-packed backdoor offering remote-shell access that is harder to analyze. A web shell named SlayStyle was also deployed.

To stay hidden, the operators created temporary ‘ghost’ network interfaces on virtual machines and deleted them once their work was done, complicating forensics. Mandiant notes that nation-state actors keep gravitating to appliances that rarely support EDR, which prolongs dwell time. GTIG and Mandiant have published indicators of compromise; the most likely initial-access vector remains internet-facing edge appliances.