The Hack That Lasted 400 Days: Inside China's Dell Zero-Day Campaign

Dateline: February 18, 2026

How a Dell Backup Tool Became a Backdoor for Chinese State Hackers

A China-linked espionage group spent a year and a half inside networks belonging to critical infrastructure operators and government agencies — completely undetected. The entry point? A hardcoded admin password baked into Dell's own software.

What Happened?

On February 17, 2026, Google Threat Intelligence Group (GTIG) and Mandiant published research exposing a long-running campaign by a Chinese state-sponsored threat group tracked as UNC6201. The group, which overlaps with the widely known Silk Typhoon (UNC5221), had been quietly exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024.

The vulnerability (CVE-2026-22769) carries a perfect 10/10 CVSS score, about as bad as it gets. The flaw stems from a hardcoded administrator password that Dell's software pulled from Apache Tomcat. Any unauthenticated attacker who knew the password could walk right in and gain root-level access — no credentials, no detection, no problem.

Dell disclosed the vulnerability and released a patch the same day Google published its findings. The company confirmed it was aware of affected organizations and urged customers to apply the fix immediately.

The campaign didn't start with this flaw. For years prior, the same threat group had been planting a backdoor called Brickstorm across target networks. By the time CISA publicly flagged the campaign last December (noting dozens of U.S. organizations already compromised) the attackers had already moved on. By September 2025, they had swapped Brickstorm out for a newer, harder-to-detect backdoor called Grimbolt, replacing older malware binaries before defenders could catch up.

What's the Impact?

The group sat inside networks for more than 400 days without triggering alarms — long enough to map infrastructure, exfiltrate data, and dig in deep. Austin Larsen, principal analyst at GTIG, told CyberScoop the actor is "likely still active in unpatched and remediated environments."

Fewer than a dozen organizations have been confirmed as victims of the Dell-specific exploit, but Larsen was direct about the bigger picture: "We suspect a significant portion of UNC5221 and UNC6201's activity likely remains unknown, and there is a strong probability that they are developing or using undiscovered zero-days and malware."

The most unsettling part? Larsen added: "Additional organizations were likely compromised as part of this campaign and do not know it yet."

This group specifically goes after edge devices and appliances that run without endpoint detection — the blind spots most organizations don't think about until it's too late.

How to Avoid This

If your organization runs Dell RecoverPoint for Virtual Machines, patch now. Dell's advisory (DSA-2026-079) has the details. That's the non-negotiable first step.

Beyond that, here's what this incident makes clear:

Audit your edge devices. Firewalls, VPN appliances, backup systems, virtual machine managers — these are exactly where this group looks for footholds. If a device doesn't support EDR, it needs extra monitoring.

Hunt for Brickstorm and Grimbolt. CISA, NSA, and the Canadian Centre for Cyber Security released indicators of compromise last week. If your organization was previously targeted by Brickstorm, check for Grimbolt. Don't assume a prior clean bill of health still holds.

Assume longer dwell times. Standard incident response timelines don't account for 400-day intrusions. Threat hunting needs to look further back than most teams typically do.

Watch for hardcoded credentials in third-party software. This vulnerability existed because a vendor embedded a static password into a production product. Periodic audits of the software running in your environment — especially backup and recovery tools — can surface these risks before attackers do.

CISA confirmed it will share additional guidance. Keep an eye on their advisories at cisa.gov.