China-linked hackers have been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024, using 'ghost NICs' to avoid detection. This sophisticated attack is part of a long-running effort to gain backdoor access to infected machines for long-term surveillance and control, according to Google's Mandiant incident response team. The US government and Google first raised the alarm about this campaign last year after Brickstorm backdoors were detected in dozens of critical US networks. Dell has since disclosed and patched the flaw (CVE-2026-22769), but noted that malicious actors had already found and exploited the bug before the fix was issued. The vulnerability allows attackers to deploy malware, including Brickstorm and Grimbolt, and create 'ghost NICs' for stealthy network pivoting. Google threat hunters revealed that UNC6201, a suspected PRC-nexus threat cluster, has been exploiting this flaw since mid-2024 to move laterally, maintain persistent access, and deploy malware. The full scope of this campaign is still unknown, but organizations previously targeted by Brickstorm are advised to look out for Grimbolt in their systems. Grimbolt, a new and improved backdoor, uses C# and AOT compilation to enhance performance and evade detection. It provides remote shell capabilities and shares the same command and control infrastructure as Brickstorm. The attack involves modifying a legitimate shell script to include the backdoor's path and executing it at boot time. Security analysts have also spotted multiple web requests to vulnerable appliances using the 'admin' username, leading to the deployment of a Slaystyle web shell. This attack is considered critical as it could grant unauthorized access to the underlying operating system and root-level persistence. After exploiting the Dell appliances, UNC6201 created 'ghost NICs' to burrow deeper into victims' VMware virtual infrastructure. This is not the first time Chinese attackers have targeted VMware environments, and the US Cybersecurity and Infrastructure Security Agency (CISA) has previously warned of such activities. The incident highlights the ongoing threat of state-sponsored actors embedding themselves in networks for long-term access and potential sabotage.
