Chinese group (UNC6201) exploited a zero-day vulnerability in Dell RecoveryPoint

Summary

On February 18, 2026, Google Threat Intelligence Group (GTIG) and Mandiant reported active exploitation of a critical zero-day vulnerability affecting Dell RecoverPoint for Virtual Machines.

The vulnerability:
• CVE-2026-22769

The flaw allows an unauthenticated remote attacker with knowledge of a hardcoded credential to gain unauthorized access to the system and potentially achieve root-level persistence.

The activity has been attributed to a China-linked cyberespionage threat actor tracked as UNC6201, which has been active since at least 2024.

Research Source

According to Google Threat Intelligence Group (GTIG) and Mandiant, the threat actor used the vulnerability for long-term espionage operations including persistence, lateral movement, and malware deployment.

Researchers also identified links between UNC6201 and another China-nexus APT group UNC5221, known for maintaining access inside victim networks for extended periods.

Technical Details

The vulnerability is a hardcoded credential issue affecting Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1.

Successful exploitation may allow attackers to:
• Access the underlying operating system
• Establish root-level persistence
• Deploy additional malware
• Move laterally across virtualized infrastructure

Dell RecoverPoint is a disaster recovery and resilience platform used for VMware virtual machines, making it a high-value enterprise infrastructure target.

Observed Attack Activity

Malware Deployment
• GrimBolt backdoor (C# AOT compiled, UPX packed)
• BrickStorm malware

Web Shells
• SlayStyle web shell

Post-Exploitation Behavior
• Lateral movement
• Persistence mechanisms
• Remote shell access
• Data collection

Evasion Techniques
• Creation of “ghost NICs” on virtual machines
• Removal of NICs after operations to hide activity

Attackers primarily targeted systems that typically do not run endpoint detection tools, increasing dwell time.

Impact

Compromise of RecoverPoint infrastructure may allow attackers to:

• Access backup and disaster recovery environments
• Maintain stealth persistence in virtual infrastructure
• Move laterally into production systems
• Deploy malware across virtual machines
• Conduct long-term espionage operations

Because RecoverPoint operates within virtualization and backup systems, compromise may give attackers access to the entire virtual environment.

Mitigation

Dell advises updating immediately to:
• RecoverPoint for Virtual Machines 6.0.3.1 HF1 or later

Recommended actions:

1. Patch affected RecoverPoint systems immediately
2. Hunt for web shells and unknown services
3. Check virtual machines for unauthorized NIC changes
4. Review lateral movement activity in VMware environment
5. Monitor backup infrastructure access
6. Review GTIG/Mandiant indicators of compromise (IoCs)

Organizations should assume compromise if vulnerable systems were internet-accessible.

References:

• Google Threat Intelligence Group (GTIG) & Mandiant Research
• SecurityWeek: https://www.securityweek.com/dell-recoverpoint-zero-day-exploited-by-chinese-cyberespionage-group/