Dell has released a patch for a critical zero-day vulnerability in its RecoverPoint for Virtual Machines product, which Mandiant said has been silently exploited by a Chinese APT group since 2024.<\/p>\n
CVE-2026-22769 is a hardcoded credential bug with a maximum CVSS score of 10.0.<\/p>\n
An unauthenticated attacker with knowledge of the credential could easily gain access to the underlying OS and root-level persistence, Dell warned<\/a>.<\/p>\n The zero-day vulnerability affects versions of the data backup and recovery solution prior to 6.0.3.1 HF1.<\/p>\n Read more on Chinese APT groups: European Governments Breached in Zero-Day Attacks Targeting Ivanti.<\/em><\/a><\/p>\n Mandiant said in a report published on February 18 that it traced back exploitation of CVE-2026-22769 as far as mid-2024, although there may have been activity prior to this.<\/p>\n “Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt,” it explained.<\/p>\n “The initial access vector for these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN concentrators) for initial access.”<\/p>\n In September last year, the group replaced the Brickstorm backdoor<\/a>, which has been tied to Chinese cyber-espionage activity since at least March<\/a> that year, with Grimbolt.<\/p>\n The new backdoor is apparently written in C# and compiled using native ahead-of-time (AOT) techniques to help evade analysis and improve performance.<\/p>\n “Unlike traditional .NET software that uses just-in-time (JIT) compilation at runtime, Native AOT-compiled binaries, introduced to .NET in 2022, are converted directly to machine-native code during compilation,” Mandiant explained.<\/p>\n “This approach enhances the software’s performance on resource-constrained appliances, ensures required libraries are already present in the file, and complicates static analysis by removing the common intermediate language (CIL) metadata typically associated with C# samples.”<\/p>\n Grimbolt, which provides a remote shell capability, uses the same command-and-control (C2) infrastructure as Brickstorm, the report added.<\/p>\n Mandiant also observed UNC6201 using novel tactics to target VMware virtual infrastructure.<\/p>\n This includes the creation of new temporary network ports, or “ghost NICs,” on VMs running on an ESXi server.<\/p>\n “Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations,” the report noted.<\/p>\n Mandiant also revealed<\/a> the use of iptables for single packet authorization (SPA).<\/p>\nMandiant Reveals Novel TTPs<\/strong><\/h2>\n