Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Dell RecoverPoint Exploited by Chinese Hackers

Dell RecoverPoint Exploited by Chinese Hackers

Posted on February 18, 2026 By CWS

A critical security flaw in Dell’s RecoverPoint for Virtual Machines has been actively exploited by a cyberespionage group with ties to China, according to a joint report from Google’s Threat Intelligence Group (GTIG) and Mandiant. The vulnerability, identified as CVE-2026-22769, has been targeted since at least mid-2024 and poses significant risks to data protection and disaster recovery solutions.

Details of the Exploitation

GTIG and Mandiant have linked the exploitation of this vulnerability to a threat actor known as UNC6201. This group has utilized the flaw to facilitate lateral movement, establish persistence, and deploy malware within compromised systems. Dell’s RecoverPoint for Virtual Machines, an integral part of the company’s data protection suite, is designed to provide resilience and disaster recovery for VMware virtual machines.

Dell has issued an advisory addressing CVE-2026-22769, describing it as a hardcoded credential vulnerability affecting RecoverPoint versions prior to 6.0.3.1 HF1. Users are urged to update to the latest version to mitigate the risk of unauthorized access and root-level persistence by remote attackers.

Emergence of UNC6201 and Their Tools

This marks the first public identification of UNC6201, although Google notes its connections to another China-linked advanced persistent threat (APT) group, UNC5221. The latter is notorious for its prolonged network intrusions aimed at gathering sensitive information. Previously, UNC5221 employed the BrickStorm malware, which has been reportedly replaced by a new malware variant called GrimBolt in September 2025.

GrimBolt is a sophisticated backdoor, developed in C# and utilizing native ahead-of-time compilation and UPX packing to hinder analysis. This malware grants attackers remote shell access, further complicating detection and remediation efforts.

Technical Insights and Industry Response

Both GrimBolt and its predecessor, BrickStorm, have been deployed on systems running Dell’s RecoverPoint. Although the initial access point remains unconfirmed, edge appliances are suspected to be a potential vector. Additionally, attackers have used a web shell named SlayStyle in these operations.

In an effort to evade detection, UNC6201 has employed tactics such as creating and later removing ‘ghost NICs’ on virtual machines. This stealthy approach complicates forensic investigations and prolongs the dwell time of intrusions. Mandiant’s CTO, Charles Carmakal, highlighted the challenges faced by organizations lacking endpoint detection and response (EDR) capabilities, which can lead to extended exposure to such threats.

GTIG and Mandiant have released indicators of compromise (IoCs) to aid cybersecurity professionals in identifying and mitigating these attacks. This development underscores the ongoing need for vigilance and advanced security measures in the face of evolving cyber threats.

Security Week News Tags:Chinese hackers, CVE-2026-22769, Cybersecurity, Dell, GrimBolt, GTIG, Mandiant, RecoverPoint, UNC6201, zero-day

Post navigation

Previous Post: CISA Highlights Four Actively Exploited Security Vulnerabilities
Next Post: CRESCENTHARVEST Malware Targets Iran Protesters

Related Posts

Hackers Target Swedish Power Grid Operator Hackers Target Swedish Power Grid Operator Security Week News
Supply Chain Threats Escalate Amid Security Challenges Supply Chain Threats Escalate Amid Security Challenges Security Week News
ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Aveva, Phoenix Contact ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Aveva, Phoenix Contact Security Week News
Pixnapping Attack Steals Data From Google, Samsung Android Phones Pixnapping Attack Steals Data From Google, Samsung Android Phones Security Week News
Fake Claude Site Distributes RAT via Trojan Installer Fake Claude Site Distributes RAT via Trojan Installer Security Week News
Imunify360 Vulnerability Could Expose Millions of Sites to Hacking Imunify360 Vulnerability Could Expose Millions of Sites to Hacking Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark