Mandiant and Google Threat Intelligence Group have uncovered the zero-day exploitation of CVE-2026-22769, a critical vulnerability (CVSS 10.0) in Dell RecoverPoint for Virtual Machines. The threat actor, identified as UNC6201 (suspected PRC-nexus), has been utilizing this flaw since mid-2024 to deploy various malware samples, including the newly discovered GRIMBOLT backdoor. GRIMBOLT represents a significant shift in tradecraft, utilizing C# with native ahead-of-time (AOT) compilation to evade static analysis and optimize performance on edge appliances.
Beyond the Dell exploitation, the investigation revealed sophisticated tactics within VMware virtual infrastructure. UNC6201 was observed creating "Ghost NICs" on ESXi servers to facilitate stealthy network pivoting and employing complex iptables configurations for Single Packet Authorization (SPA). Organizations are strongly advised to apply Dellβs official remediations and utilize the provided YARA rules and forensic artifacts to hunt for potential indicators of compromise within their environments.
Top comments (0)