Full Report
Google researchers said Chinese attackers have been exploiting a zero-day since mid-2024, and they’ve moved on to a more advanced version of Brickstorm malware called Grimbolt. The post Chinese hackers exploited a Dell zero-day for 18 months before anyone noticed appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6201
## Attribution & Identity
* **Actor Name:** UNC6201
* **Country of Origin:** China (State-sponsored)
* **Known Aliases & Associated Groups:**
* Overlaps with **UNC5221** (also known as **Silk Typhoon**).
* Associated with a broader cluster of actors targeting edge devices and critical infrastructure.
## Activity Summary
UNC6201 is a sophisticated Chinese espionage group that has been exploiting zero-day vulnerabilities in Dell recovery software since at least **mid-2024**. The group is known for its extreme persistence, maintaining access to victim environments for over **400 days** before detection. In late 2024 and early 2025, the group transitioned from its primary malware, *Brickstorm*, to a more advanced backdoor called *Grimbolt* to evade new detection signatures released by Western agencies.
## Tactics, Techniques & Procedures
* **Zero-Day Exploitation:** Leverages unpatched vulnerabilities in edge applications and virtual machine management software.
* **Persistence:** Establishes root-level persistence through the exploitation of hardcoded credentials.
* **Detection Evasion:**
* Targets edge devices and systems that lack **Endpoint Detection and Response (EDR)**.
* Deploys custom backdoors (*Grimbolt*) that are high-complexity and difficult to reverse-engineer.
* Removes older malware binaries (*Brickstorm*) and replaces them with newer variants to stay ahead of defenders.
* **MITRE ATT&CK IDs (Inferred):**
* T1190: Exploit Public-Facing Application
* T1505.003: Server Software Component: Web Shell (Historical Brickstorm behavior)
* T1552.001: Credentials in Files (Hardcoded passwords)
## Targeting
* **Sectors:** Critical infrastructure, government agencies, and organizations managing virtualized environments.
* **Geography:** Primarily the United States and Canada (based on CISA/CCCS involvement).
* **Victims:** Dozens of U.S. organizations; total global scale remains unknown but confirmed at fewer than a dozen specific organizations for the most recent Grimbolt campaign.
## Tools & Infrastructure
* **Malware:**
* **Brickstorm:** An older malware variant used for initial long-term espionage.
* **Grimbolt:** A more advanced, stealthy backdoor that replaced Brickstorm in late 2024/early 2025.
* **Vulnerability Exploited:**
* **CVE-2026-22769:** A zero-day in Dell RecoverPoint for Virtual Machines (CVSS 10.10) involving a hardcoded administrator password pulled from Apache Tomcat.
## Implications
UNC6201 demonstrates a high level of operational security and technical agility. Their ability to dwell in networks for over 18 months undetected suggests they are bypassing standard security monitoring. The rapid shift from Brickstorm to Grimbolt indicates a well-resourced actor capable of modifying their toolkit in real-time response to public disclosure by security researchers and government agencies (CISA/NSA).
## Mitigations
* **Patch Management:** Immediately apply patches for **CVE-2026-22769** provided by Dell.
* **Threat Hunting:** Organizations previously targeted by or infected with *Brickstorm* should conduct intensive hunts for *Grimbolt* indicators, as the actor is known to "hot-swap" these tools.
* **Edge Device Security:** Increase monitoring of edge applications and management consoles (like Dell RecoverPoint) that do not support traditional EDR agents.
* **Credential Audit:** Review systems for hardcoded passwords and ensure no unauthenticated remote access is possible on critical management infrastructure.