APT UNC6201 Exploited Dell Zero-Day Since Mid-2024, Deploying Novel Grimbolt Backdoor and ESXi Ghost NICs
Mandiant and the Google Threat Intelligence Group (GTIG) have disclosed that a suspected Chinese state-backed threat group tracked as UNC6201 has been exploiting a maximum-severity Dell zero-day vulnerability since mid-2024 — remaining undetected in victim networks for over 18 months.
The vulnerability, CVE-2026-22769, is a hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines, a product used for VMware virtual machine backup and recovery. Exploitation grants an unauthenticated remote attacker root-level access to the underlying operating system.
Dell published a security advisory on Tuesday and urges immediate patching to versions 6.0.3.1 HF1 or later.
New Grimbolt Backdoor Replaces Brickstorm
Once inside victim networks, UNC6201 deployed a newly identified backdoor called Grimbolt — written in C# using a relatively new compilation technique designed to be faster and significantly harder to analyze than its predecessor, the Brickstorm backdoor that the group had been using since at least April 2024.
Researchers observed the group swapping Brickstorm for Grimbolt in September 2025, though it remains unclear whether this was a planned capability upgrade or a reaction to incident response efforts led by Mandiant.
Novel Ghost NIC Technique on VMware ESXi
UNC6201 also introduced a technique Mandiant has never previously observed: creating hidden virtual network interfaces — dubbed "Ghost NICs" — on VMware ESXi servers to pivot from compromised VMs into internal and SaaS environments.
These temporary virtual network ports allow the attackers to move laterally across virtualized infrastructure without generating the network artifacts that defenders typically monitor. The technique is particularly effective because VMware ESXi hosts generally lack traditional endpoint detection and response (EDR) agents, allowing UNC6201 to remain undetected for extended periods.
Ties to Silk Typhoon and Ivanti Campaigns
GTIG has identified overlaps between UNC6201 and UNC5221, a separate Chinese threat cluster known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware. UNC5221 has been previously linked to the Silk Typhoon Chinese state-backed threat group, though GTIG does not consider the two identical.
The connection extends through shared tooling: GTIG reported in September that UNC5221 used the same Brickstorm backdoor to gain long-term persistence across multiple U.S. organizations in the legal and technology sectors. CrowdStrike independently linked Brickstorm attacks targeting VMware vCenter servers at legal, technology, and manufacturing companies to a Chinese group it tracks as Warp Panda.
Why This Matters
CVE-2026-22769 follows a consistent Chinese APT pattern of targeting enterprise infrastructure appliances — backup systems, VPN concentrators, MDM platforms — that sit outside the reach of standard EDR coverage. The 18-month dwell time underscores the effectiveness of this approach.
The introduction of Ghost NICs represents a significant evolution in virtualization-layer tradecraft, giving defenders a new technique to hunt for across VMware environments.
Defender Actions
- Patch immediately — upgrade Dell RecoverPoint for Virtual Machines to version 6.0.3.1 HF1 or later per Dell's advisory
- Hunt for Ghost NICs — audit VMware ESXi hosts for unexpected or temporary virtual network interfaces
- Check for Grimbolt and Brickstorm IOCs — search for C# backdoor artifacts and unusual outbound connections from backup infrastructure
- Audit RecoverPoint access logs — look for unauthorized authentication events dating back to mid-2024
- Extend EDR visibility — deploy monitoring on appliances and hypervisors that traditionally lack agent coverage
