Grimbolt and Ghost NICs the campaign using Dell RecoverPoint to infiltrate virtual infrastructure

In mid-2024 a silent campaign began that security researchers have now related to a group suspected of being backed by the Chinese state. This actor took advantage of a critical failure in a Dell product to enter corporate networks and maintain deep persistence in virtualized environments.

The vulnerability in question is a credential embedded in the code of Dell RecoverPoint for Virtual Machines, a solution designed to protect and recover virtual machines in VMware. The failure is recorded as CVE-2026-22769 and affects versions prior to 6.0.3.1 HF1. Dell has published a security note in which it recommends updating or applying the mitigation as soon as possible, because an attacker without prior authentication who knows that credential can gain access to the underlying operating system and establish persistence with root privileges.

The equipment Google Threat Intelligence Group (GTIG) and Mandiant describe how the group baptized as UNC6201 He took advantage of this vector to implement several loaders and back doors. Among them is a new family called Grimbolt, written in C # and compiled with a relatively recent technique to make it faster and make it difficult for you to analyze static and dynamic. Grimbolt seems to have replaced another back door known as Brickstorm in September 2025, although it is not clear whether that transition was a planned improvement or a reaction to response by Mandiant and other industry teams.

The disturbing thing is not only the initial exploitation, but also how the attackers amplified their capacities within virtualized infrastructure. Researchers observed the use of temporary virtual network interfaces, called colloquially "Ghost NICs", on VMware ESXi servers. These ephemeral interfaces allow attackers to pivote from virtual machines committed to internal resources or even SaaS services without leaving the typical indicators of lateral movement, making them a novel and difficult technique to detect.

Another aspect that facilitates these intrusions is the choice of objectives: applications and devices that normally do not carry traditional detection and response agents (EDR). By targeting infrastructure components that lack standard endpoint protection, attackers manage to remain undetected for long periods, making containment more costly and complex.

The traces of these operations also show overlap with another threat family traced as UNC5221, previously associated with the exploitation of vulnerabilities in Ivanti products and linked by some analysts to Chinese state campaigns such as Silk Typhoon. In April 2024 Mandiant documented the use of Brickstorm in certain attacks addressed to Ivanti customers and security companies such as CrowdStrike have related operations that used Brickstorm with an actor they call Warp Panda, who attacked VMware vCenter servers and other targets in sectors such as legal, technological and manufacturing.

For security teams and system managers, the news has several practical implications: first, follow Dell's guide and prioritize the update to parched versions or apply the proposed mitigation. Dell published specific instructions and lists of products concerned in its Security notices. Secondly, it is appropriate to review access to management interfaces and backup systems, limit their exposure to unreliable networks and force strong authentication controls and network segmentation.

It is also important to actively monitor commitment indicators: to search for unusual processes or binaries in systems linked to RecoverPoint, to review ESXi's login for the creation of temporary virtual ports and to analyse the lateral traffic between virtual machines that could reveal the use of Ghost NICs. Since many applications do not run EDR, signals may be in network records, in hypervisor telemetry or in integrity monitoring solutions.

In addition to immediate technical mitigation, this campaign recalls a broader lesson: virtualized infrastructure and backup solutions are high-value targets for advanced actors. The commitment of a recovery tool can give the attacker a visibility and persistence capacity that affect the whole company. It is therefore key to integrate security measures into the platform's design, from credentials management to segmentation, immutable backups and validation of image integrity and configurations.

For those who want to deepen the technical findings and the research chronology, the original reports of the teams that have documented the activity provide details of telemetry and recommendations: GTIG and Mandiant analysis, Dell's safety note and the recording of vulnerability at the EQE base CVE-2026-22769. To consult these sources makes it possible to make informed decisions and to apply appropriate countermeasures.

In short, we are looking at one more example of how apparently "local" failures in backup tools can become entry doors for sophisticated campaigns. The combination of critical vulnerability, malware designed to evade analysis and unpublished lateral motion techniques underlines the need to prioritize patches, audit virtual infrastructures and assume that unprotected applications are a privileged vector for advanced actors.