China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection
(2026/02/18)
- Reference: 1771373158
- News link: https://www.theregister.co.uk/2026/02/18/dell_0day_brickstorm_campaign/
- Source link:
China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It's all part of a long-running effort to backdoor infected machines for long-term access, according to Google's Mandiant incident response team.
The US government and Google first warned about this campaign last year after [1]detecting Brickstorm backdoors in dozens of critical US networks.
Dell [2]disclosed and patched the critical flaw (CVE-2026-22769) on Tuesday – but noted that miscreants had found and exploited the bug before it issued a fix.
[3]
"We have received a report of limited active exploitation of this vulnerability," a Dell spokesperson told The Register . "Customers are urged to immediately implement one of the remediations detailed" in the advisory.
[4]
[5]
According to Mandiant and the Google Threat Intelligence Group, which also published a security alert on Tuesday about the Dell zero-day, the suspected PRC-linked intruders exploited CVE-2026-22769 to deploy malware including Brickstorm and a separate backdoor tracked as Grimbolt, and in some cases replaced older Brickstorm binaries with Grimbolt, while also creating “Ghost NICs” on virtual machines to enable stealthy network pivoting.
"Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt," [6]said Google threat hunters Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr, and Rich Reece.
Because the full scale of this campaign is unknown, we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments
When asked about the scope of exploitation, Mandiant Consulting manager Reece, who co-authored the report, said Mandiant knows of "less than a dozen" organizations affected by CVE-2026-22769. "But because the full scale of this campaign is unknown, we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments," he told The Register .
New and improved backdoor
While the earlier versions of the Brickstorm backdoor were written in Go, and later Rust, it appears the attacker replaced these binaries with Grimbolt in September 2025, according to Mandiant.
Grimbolt, written in C#, uses native ahead-of-time (AOT) compilation to translate programming language code into native machine code before the application runs. It's also packed with UPX, an executable packer that compresses the native binary files produced by AOT.
[7]
These features make the malware less likely to raise any flags via static analysis, and enhance performance on resource-constrained appliances.
Grimbolt also provides the same remote shell capability and uses the same command and control infrastructure as the earlier Brickstorm malware.
"UNC6201 established Brickstorm and Grimbolt persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor," the Googlers reported. "This shell script is executed by the appliance at boot time via rc.local."
[8]
Plus, they note, the IR team discovered the Dell zero-day while investigating a victim's environment that had been backdoored by Brickstorm and Grimbolt.
Security analysts spotted "multiple web requests" to vulnerable appliances using the username "admin" and directed to the installed Apache Tomcat Manager.
[9]Google warns China-linked spies lurking in 'numerous' enterprises
[10]PRC spies Brickstormed their way into critical US networks and remained hidden for years
[11]China remains embedded in US energy networks 'for the purpose of taking it down'
[12]Google patches Chrome zero-day as in-the-wild exploits surface
Dell RecoverPoint for Virtual Machines uses Apache Tomcat as its web server, and the security sleuths soon discovered that the attackers had been exploiting a hardcoded password in Apache Tomcat to then deploy a malicious WAR file containing a Slaystyle web shell.
"This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence."
Additionally, after abusing the bug to exploit the Dell appliances, UNC6201 then created "ghost NICs" – hidden, temporary network ports on existing virtual machines running on an ESXi server – to burrow deeper into victims' VMware virtual infrastructure.
VMware did not immediately respond to The Register 's inquiries.
The US Cybersecurity and Infrastructure Security Agency and CrowdStrike [13]both previously warned that Chinese attackers were targeting organizations' VMware environments and using Brickstorm for persistent access.
"State-sponsored actors are not just infiltrating networks," CISA's Nick Andersen, executive assistant director for cybersecurity, said in December. "They're embedding themselves to enable long term access, disruption, and potential sabotage." ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2025/09/24/google_china_spy_report/
[2] https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/09/24/google_china_spy_report/
[10] https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
[11] https://www.theregister.com/2026/02/17/volt_typhoon_dragos/
[12] https://www.theregister.com/2026/02/16/chromes_zeroday/
[13] https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
[14] https://whitepapers.theregister.com/
The US government and Google first warned about this campaign last year after [1]detecting Brickstorm backdoors in dozens of critical US networks.
Dell [2]disclosed and patched the critical flaw (CVE-2026-22769) on Tuesday – but noted that miscreants had found and exploited the bug before it issued a fix.
[3]
"We have received a report of limited active exploitation of this vulnerability," a Dell spokesperson told The Register . "Customers are urged to immediately implement one of the remediations detailed" in the advisory.
[4]
[5]
According to Mandiant and the Google Threat Intelligence Group, which also published a security alert on Tuesday about the Dell zero-day, the suspected PRC-linked intruders exploited CVE-2026-22769 to deploy malware including Brickstorm and a separate backdoor tracked as Grimbolt, and in some cases replaced older Brickstorm binaries with Grimbolt, while also creating “Ghost NICs” on virtual machines to enable stealthy network pivoting.
"Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt," [6]said Google threat hunters Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr, and Rich Reece.
Because the full scale of this campaign is unknown, we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments
When asked about the scope of exploitation, Mandiant Consulting manager Reece, who co-authored the report, said Mandiant knows of "less than a dozen" organizations affected by CVE-2026-22769. "But because the full scale of this campaign is unknown, we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments," he told The Register .
New and improved backdoor
While the earlier versions of the Brickstorm backdoor were written in Go, and later Rust, it appears the attacker replaced these binaries with Grimbolt in September 2025, according to Mandiant.
Grimbolt, written in C#, uses native ahead-of-time (AOT) compilation to translate programming language code into native machine code before the application runs. It's also packed with UPX, an executable packer that compresses the native binary files produced by AOT.
[7]
These features make the malware less likely to raise any flags via static analysis, and enhance performance on resource-constrained appliances.
Grimbolt also provides the same remote shell capability and uses the same command and control infrastructure as the earlier Brickstorm malware.
"UNC6201 established Brickstorm and Grimbolt persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor," the Googlers reported. "This shell script is executed by the appliance at boot time via rc.local."
[8]
Plus, they note, the IR team discovered the Dell zero-day while investigating a victim's environment that had been backdoored by Brickstorm and Grimbolt.
Security analysts spotted "multiple web requests" to vulnerable appliances using the username "admin" and directed to the installed Apache Tomcat Manager.
[9]Google warns China-linked spies lurking in 'numerous' enterprises
[10]PRC spies Brickstormed their way into critical US networks and remained hidden for years
[11]China remains embedded in US energy networks 'for the purpose of taking it down'
[12]Google patches Chrome zero-day as in-the-wild exploits surface
Dell RecoverPoint for Virtual Machines uses Apache Tomcat as its web server, and the security sleuths soon discovered that the attackers had been exploiting a hardcoded password in Apache Tomcat to then deploy a malicious WAR file containing a Slaystyle web shell.
"This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence."
Additionally, after abusing the bug to exploit the Dell appliances, UNC6201 then created "ghost NICs" – hidden, temporary network ports on existing virtual machines running on an ESXi server – to burrow deeper into victims' VMware virtual infrastructure.
VMware did not immediately respond to The Register 's inquiries.
The US Cybersecurity and Infrastructure Security Agency and CrowdStrike [13]both previously warned that Chinese attackers were targeting organizations' VMware environments and using Brickstorm for persistent access.
"State-sponsored actors are not just infiltrating networks," CISA's Nick Andersen, executive assistant director for cybersecurity, said in December. "They're embedding themselves to enable long term access, disruption, and potential sabotage." ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2025/09/24/google_china_spy_report/
[2] https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZVHdhDWmm5mFOdf0fyOEgAAA4g&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/09/24/google_china_spy_report/
[10] https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
[11] https://www.theregister.com/2026/02/17/volt_typhoon_dragos/
[12] https://www.theregister.com/2026/02/16/chromes_zeroday/
[13] https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
[14] https://whitepapers.theregister.com/
Re: Dell can be counted on...
Anonymous Coward
Just for our edification, can you list the other companies that have had CVE's published for credentials hardcoded into tomcat?
Dell can be counted on...
Dell can be counted on to do the dumbest things possible. Hardcoded credentials in a tool meant to administer virtual machine? Sure! Why not? What could go wrong?
The for-profit world's lack of real concern for security has always been a liability. It's a shame that it's taking so long for regular people to realize that.