China-linked snoops have been exploiting Dell 0-day since mid-2024, using ‘ghost NICs’ to avoid detection
Article metadata
- Date: 2026-02-18T00:05:58+00:00
- Author: Jessica Lyons
- Original URL: https://go.theregister.com/feed/www.theregister.com/2026/02/18/dell_0day_brickstorm_campaign/
- Image:
Summary
Google’s Mandiant team and Google Threat Intelligence report that a suspected PRC-linked actor, tracked as UNC6201, has been exploiting a critical hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) since at least mid-2024. The flaw allowed unauthenticated access via Apache Tomcat’s manager using a hardcoded admin credential, enabling deployment of web shells and backdoors.
Key Points
- CVE-2026-22769 is a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines; Dell published a patch and mitigations in Feb 2026.
- UNC6201 exploited the bug since mid-2024 to deploy Brickstorm, Slaystyle web shells, and a newer backdoor called Grimbolt.
- Attackers used modified legitimate scripts (convert_hosts.sh) to achieve persistence and created “ghost NICs” on VMs to pivot stealthily within VMware environments.
- Grimbolt (C#, AOT-compiled and UPX-packed) replaced earlier Brickstorm binaries in Sept 2025, making static detection harder and improving performance on constrained appliances.
- Known compromise count is small (Mandiant reports “less than a dozen” affected organisations) but the full scale is unknown; organisations previously hit by Brickstorm should hunt for Grimbolt and related indicators.
Content summary
Mandiant and Google’s threat hunters found attackers exploiting a hardcoded Apache Tomcat credential to install malicious WAR files and web shells (Slaystyle), then establish persistence by altering start-up scripts on Dell RecoverPoint appliances. The intruders expanded access by creating hidden temporary network interfaces (“ghost NICs”) on virtual machines hosted on ESXi servers, enabling further lateral movement across VMware environments.
Researchers observed the campaign evolve: Brickstorm (previously written in Go and Rust) was succeeded by Grimbolt, a C# backdoor using ahead-of-time compilation and UPX packing to evade static analysis. The attackers used the same command-and-control infrastructure and remote-shell functionality as earlier variants.
Dell disclosed and patched the vulnerability (CVE-2026-22769) in February 2026 and urged customers to apply mitigations immediately. Mandiant knows of only a handful of confirmed victims but warns the true scope may be greater and recommends targeted hunting for Grimbolt indicators, altered convert_hosts.sh scripts, suspicious Tomcat Manager requests using “admin”, and evidence of ghost NICs on VMware hosts.
Context and relevance
This is part of a wider pattern of long-term, state-linked intrusion activity that targets infrastructure appliances and virtualisation stacks to gain persistent access. The report ties into earlier warnings from CISA and other firms about nation-state actors embedding themselves in critical networks and VMware estates. For organisations running Dell RecoverPoint or sizeable VMware environments, the findings underscore the increased attacker focus on appliance-level vulnerabilities and stealthy lateral movement techniques.
Why should I read this?
Short answer: because this is the kind of sneaky, long-game breach you don’t want lurking in your virtualisation layer. If you run Dell RecoverPoint or manage VMware hosts, skim this now—it tells you exactly what to hunt for (convert_hosts.sh changes, Grimbolt signatures, ghost NICs) so you can avoid getting woken up by an incident response team at 03:00. Seriously: quick read, big potential headache avoided.
Author style
Punchy. This isn’t just another CVE: it shows a persistent, evolving campaign from a suspected PRC-linked cluster that upgraded its tooling to be stealthier and faster. If you’re responsible for infrastructure security, the technical detail here matters – it tells you what to scan for and why this particular appliance-level flaw was attractive to attackers.