100/69 Thursday, February 19, 2026
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) have disclosed that a threat actor tracked as UNC6201 has been conducting covert attacks by exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines, a backup and disaster recovery solution for VMware environments. The vulnerability, identified as CVE-2026-22769, stems from the use of hardcoded credentials within the system. This flaw enables attackers with network access to obtain root-level privileges and establish persistent control over the core operating system. Evidence suggests that exploitation activity has been occurring since mid-2024.
In this campaign, the attackers deployed a newly identified malware strain called “Grimbolt,” written in C#. The malware uses advanced compilation techniques that enhance execution speed and complicate forensic analysis. Researchers also observed a novel technique referred to as “Ghost NICs,” in which temporary virtual network interfaces are created on VMware ESXi servers to facilitate stealthy lateral movement within the network. This method allows attackers to bypass traditional endpoint detection and response (EDR) systems and target virtual infrastructure environments, which are often less rigorously monitored than conventional endpoints.
Analysis indicates that UNC6201 shares links with the threat group Silk Typhoon, which has previously targeted government entities and technology sector organizations across multiple countries. Dell has issued an urgent security advisory, recommending that organizations using Dell RecoverPoint for Virtual Machines upgrade immediately to version 6.0.3.1 HF1 or later, or apply the mitigation measures outlined in the company’s security bulletin to close the vulnerability and reduce the long-term risk of cyber espionage.
