Chinese Hackers Credited With Another Major Zero-Day Vulnerability; Dell RecoverPoint Compromised Since 2024

Users of Dell RecoverPoint for Virtual Machines will want to update to the most recent version as soon as possible, as Mandiant and Google Threat Intelligence have announced another major zero-day vulnerability to kick off 2026. This is also another vulnerability that was present for years before being detected, and is thought to have been actively exploited by Chinese hackers.

The group of attackers behind this one is not the same as Silk Typhoon or Warp Panda, but is part of a “cluster” referred to as UNC6201 that is thought to support each other. The Chinese hackers were likely the only ones exploiting this zero-day vulnerability, but compromised at least a handful of organizations with it dating as far back as the middle of 2024. Dwell time also tends to be in excess of a year as the attackers slowly and quietly move as far as they can through the network and extract secrets.

Chinese hackers swapping out “Brickstorm” backdoor for more sophisticated “Grimbolt”

The discovery of the zero-day vulnerability has links to the Brickstorm campaign, also linked to Chinese hackers and thought to date back to at least 2022. But the hackers are now actively swapping out Brickstorm for a new backdoor called “Grimbolt” that is more sophisticated and tougher to detect. This new backdoor has likely been in the wild for well over a year now and has dynamic elements that make it tougher to detect than Brickstorm was.

Mandiant reports “less than a dozen” organizations known to be impacted by this zero-day vulnerability, but the key word there is “known.” The Chinese hackers have been spotted replacing previous installations of Brickstorm with Grimbolt. Dell has provided some thorough guidance in remediating the zero-day vulnerability, but for those already compromised this will not be enough. Nevertheless, all organizations should immediately update to version 6.0.3.1 HF1 of RecoverPoint for Virtual Machines. This should be straightforward from any other installation of version 6.0, but there are some added steps for older versions outlined in the Dell documentation.

2026 opens with numerous serious zero-day vulnerability reports

Timely patching is important, as the zero-day vulnerability has a CVE score of 10.0 and will no doubt draw fresh attention with this report. The Chinese hackers seemed to be limiting deployment to select targets of espionage interest, but new players may enter before long.

The Dell zero-day vulnerability definitely involved more sophisticated follow-up than is usually seen from criminal profit-driven threat actors, however. The Chinese hackers were able to quickly burrow deep into victim infrastructure by targeting low-visibility systems lacking adequate endpoint protection. Between that and Grimbolt’s ability to shield itself by changing code after deployment, this incident (along with some others to start 2026, such as the major zero-day vulnerabilities found in iOS and Chrome very recently) may be an appropriate prompt for a security review with a particular eye toward adopting agentic AI defenses.