{"id":43797,"date":"2026-02-20T06:13:06","date_gmt":"2026-02-19T22:13:06","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/20\/china-linked-hackers-use-dell-recoverpoint-flaw-to-drop-grimbolt-malware\/"},"modified":"2026-02-20T06:13:06","modified_gmt":"2026-02-19T22:13:06","slug":"china-linked-hackers-use-dell-recoverpoint-flaw-to-drop-grimbolt-malware","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/20\/china-linked-hackers-use-dell-recoverpoint-flaw-to-drop-grimbolt-malware\/","title":{"rendered":"China-Linked Hackers Use Dell RecoverPoint Flaw to Drop GrimBolt Malware"},"content":{"rendered":"\n

A major security vulnerability has been identified in a Dell<\/a> product used by many companies to protect their virtual data. According to reports from Google\u2019s Threat Intelligence Group (GTIG) and the cybersecurity firm Mandiant, a group of hackers linked to China<\/a> has been exploiting this weakness since at least mid-2024.<\/p>\n

The problem affects Dell RecoverPoint for Virtual Machines<\/a>, a tool designed to help businesses recover their data if their systems fail. As we know it, these types of tools are vital for keeping digital services running, which makes them a prime target for those looking to steal information.<\/p>\n

What Went Wrong?<\/strong><\/h3>\n

The issue, officially named CVE-2026-22769<\/a>, involves hardcoded credentials. This means the software came with a built-in username and password that could not be easily changed.<\/p>\n

Google researchers noted that an outsider who knew these secret login details could gain total control over the system. Specifically, the flaw allowed attackers to log in as an administrator to the software’s management system and execute commands with the highest level of authority.<\/p>\n

Further investigation by Mandiant revealed that the hackers, a group identified as UNC6201, used these details to break into networks. Once inside, they could move around freely and install malicious software to spy on the affected organisations. In one instance, the hackers used a technique called Ghost NICs, where they created temporary virtual network ports to move through the network without leaving a trace.<\/p>\n

New Malware GrimBolt Discovered<\/strong><\/h3>\n

According to Mandiant and GTIG\u2019s investigation, the hackers have been using a specific type of digital spy tool called BrickStorm<\/a>, but in September 2025, they began switching to a more advanced piece of malware named GrimBolt.<\/p>\n

They also noted that GrimBolt is particularly tricky because it is designed to be very fast and hard for security teams to study. It acts as a backdoor<\/a>, which is a way for hackers to sneak back into a system whenever they want without being noticed. In this case, the hackers even modified the software’s startup scripts, ensuring that \u201cthis shell script is executed by the appliance at boot time,\u201d allowing the malware to remain active indefinitely, Google\u2019s blog post<\/a> reveals.<\/p>\n

How to Stay Safe<\/strong><\/h3>\n

Dell has released an official security advisory (DSA-2026-079<\/a>) urging all users to update their software immediately. The vulnerability is considered critical, receiving the highest possible risk score of 10.0. Dell advised that the flaw \u201cis considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability.\u201d<\/p>\n