2 years in the shadows: UNC6201’s silent espionage
Mandiant revealed that a China-linked APT group, tracked as UNC6201, has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. For nearly two years, the attackers maintained persistent root access in victim networks without detection.
CVE-2026-22769: CVSS 10.0
| Field | Detail |
|---|---|
| CVE | CVE-2026-22769 |
| CVSS | 10.0 (maximum) |
| Type | Hardcoded credential |
| Product | Dell RecoverPoint for VMs < 6.0.3.1 HF1 |
| Authentication | None required |
| Privileges | Root |
A hardcoded password embedded in the Dell product. Anyone who knows it gets immediate root access. This type of flaw is invisible to traditional vulnerability scanners.
UNC6201: the group behind the attack
UNC6201 is a China-attributed espionage group. Their playbook: targeting network edge appliances (VPN concentrators, backup appliances, edge devices), long-term persistence for intelligence collection, and stealth-designed malware.
Arsenal deployed
- Slaystyle: first-stage malware for initial access and command execution
- Brickstorm: lateral movement and persistence (known from prior China-linked campaigns)
- Grimbolt: novel backdoor discovered for the first time in this campaign
Why backup appliances are targets
Dell RecoverPoint is a VM backup and replication system. Compromising it provides access to all protected VMs (and their data), snapshots and backups (potentially more history than live storage), the management network, and hypervisor credentials.
The 2-year dwell time lesson
EDR tools typically don’t cover proprietary appliances, vulnerability scanners don’t detect hardcoded credentials, appliance logs are rarely integrated into SIEMs, and firmware updates are often delayed by infrastructure teams.
Remediation
- Update Dell RecoverPoint to version 6.0.3.1 HF1 or later
- Audit your appliances: if you run RecoverPoint, assume it may have been compromised
- Search for IoCs: Slaystyle, Brickstorm, Grimbolt presence
- Integrate appliances into monitoring: backup, VPN, and edge devices must send logs to SIEM
- Segment: backup appliances should not be accessible from the user network
Recommended reading
These are affiliate links. If you make a purchase through these links, we may earn a commission at no extra cost to you.
- (ISC)2 CISSP Official Study Guide: covers APT persistence techniques and risk management.
- Destination CISSP: concise guide on advanced threat detection and appliance security.
- NordVPN: secure admin connections to critical appliances.
Sources
- Chinese APT Exploits Dell Zero-Day - Infosecurity Magazine
- China-linked APT Dell RecoverPoint - Security Affairs
Advertisement