Researchers uncovered new details about a long-running China-linked espionage campaign after Google Threat Intelligence Group technical analysis found the group UNC6201 exploiting a zero-day in Dell RecoverPoint for Virtual Machines since at least mid-2024, tracked as CVE-2026-22769 with a 10.0 CVSS score. A patch is available from Dell Technologies advisory.
KEY FACTS
- Incident UNC6201 exploited a RecoverPoint zero-day since mid-2024
- Vulnerability CVE-2026-22769 involves a hardcoded administrator password from Apache Tomcat
- Malware Brickstorm was replaced by a more advanced backdoor called Grimbolt by September 2024
- Impact Exploitation enables unauthenticated root access and at least 18 months of persistence
- Mitigation Vendor advisory and patch released
The report links UNC6201 to UNC5221, also known as Silk Typhoon, and says the cluster implanted Brickstorm into networks for years before switching to Grimbolt by September 2024. The group has been active undetected for long periods, including more than 400 days in some environments.
The vulnerability exploited is a hardcoded administrator password that was included from Apache Tomcat. That flaw allows unauthenticated remote actors to gain full system access and maintain root-level persistence, the report notes. The issue was assigned CVE-2026-22769 and carries a top severity score.
Researchers have a limited view of the actors’ overall activity and say many actions may remain unknown. The report warns the attackers are likely still active in unpatched or incompletely remediated networks and that additional victims may be unaware of compromises.
WHY IT MATTERS
Long dwell times and use of a high-severity zero-day increase the risk of prolonged espionage and undetected access. Organizations using affected RecoverPoint deployments should apply the advisory and search for signs of Grimbolt and other malicious activity.