Researchers uncovered more worrying details about a long-running cyber espionage campaign suspected to be backed by the Chinese government, exemplifying how such attacks often go undetected until they’ve already caused significant damage.
Google Threat Intelligence Group and Mandiant said the Chinese threat group UNC6201 has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The group overlaps with UNC5221, also known as Silk Typhoon, which has been burrowing into critical infrastructure and government agency networks undetected since at least 2022.
The zero-day exploitation marks an escalation from this particular cluster of actors. State-sponsored attackers spent years implanting Brickstorm malware into networks before the campaign was finally detected last summer. By September, however, the attackers had replaced Brickstorm with Grimbolt, a more advanced malware that’s harder to detect, Google security researchers said Tuesday.
The zero-day vulnerability — CVE-2026-22769 — hinges on a hardcoded administrator password in Dell RecoverPoint for Virtual Machines that was pulled from Apache Tomcat. It carries a 10/10 CVSS rating. The Chinese threat group has been using the hardcoded password, which triggers the vulnerability and allows unauthenticated remote attackers to gain full system access with root-level persistence for at least 18 months, Google said.
Dell Technologies disclosed and released a patch for the vulnerability Tuesday. A company spokesperson urged customers to follow guidance in its security advisory.
“We are aware of less than a dozen impacted organizations, but because the full scale of this campaign is unknown we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments,” Austin Larsen, principal analyst at GTIG, told CyberScoop.
When the Cybersecurity and Infrastructure Security Agency unveiled new details about the campaign in December, Google said dozens of U.S. organizations, not including downstream victims, had already been impacted by Brickstorm.
“The actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage,” Larsen added.
The campaign — one of many concurrent efforts by China state-sponsored groups to embed themselves into networks for long-term access, disruptions and potential sabotage — remains a top area of concern for national security.
CISA, the National Security Agency and Canadian Centre for Cyber Security released new analysis on Brickstorm last week to share indicators and compromise that could help potential victims detect malicious activity on their networks.
Yet, the China-linked groups involved in this campaign have already moved on to Grimbolt, in some cases replacing older Brickstorm binaries with the new backdoor that’s more difficult to reverse engineer, according to Google.
Marci McCarthy, director of public affairs at CISA, told CyberScoop the agency will share further information on Wednesday.
Google’s fresh research on the China state-sponsored campaign demonstrates how the threat group’s tenacity, and ability to dwell undetected in networks longer than 400 days, keeps defenders and cyber authorities at a disadvantage.
The threat groups typically target edge applications and devices running on systems without endpoint detection and response, but researchers don’t know how attackers broke into the networks of the most recently discovered victims.
Researchers only have a narrow view of the threat groups’ activities at large.
“We suspect a significant portion of UNC5221 and UNC6201’s activity likely remains unknown, and there is a strong probability that they are developing or using undiscovered zero-days and malware,” Larsen said. “The most concerning aspect of this campaign is that additional organizations were likely compromised as part of this campaign and do not know it yet.”
