Chinese State Hackers Weaponize Dell RecoverPoint Zero-Day Since Mid-2024

The revelation that Chinese state-sponsored hackers have been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024 represents a major intelligence failure for Western cybersecurity defenses. The flaw, tracked as CVE-2026-22769, was weaponized by a sophisticated threat actor identified as UNC6201. For nearly 18 months, this group operated with near-total impunity, leveraging the vulnerability to gain deep persistence within the virtualized environments of high-value targets. This incident is not merely another software bug; it is a case study in the strategic targeting of critical infrastructure components that are often overlooked by standard security monitoring.

Dell RecoverPoint is a disaster recovery and data protection solution designed to provide continuous data protection for VMware environments. Because it sits at the intersection of storage and virtualization, it requires high-level administrative privileges and has broad visibility into an organization’s most sensitive data. By compromising this specific product, UNC6201 effectively bypassed the traditional 'front door' of the network, instead entering through a trusted management layer. This allowed the attackers to maintain a stealthy presence, as disaster recovery traffic is often high-volume and encrypted, making it difficult for network-based intrusion detection systems to distinguish between legitimate replication and malicious data exfiltration.

“

The flaw, tracked as CVE-2026-22769, was weaponized by a sophisticated threat actor identified as UNC6201.

The threat actor behind the campaign, UNC6201, is widely believed to be linked to Chinese intelligence services. Their operations are characterized by a high degree of technical proficiency and a focus on long-term cyberespionage rather than immediate financial gain. In this campaign, the group utilized CVE-2026-22769 to execute arbitrary code, which then served as a launchpad for a broader malware campaign. The discovery of this activity by Mandiant and GTIG suggests that the group was highly selective in its targeting, likely focusing on government agencies, defense contractors, and critical infrastructure providers where Dell’s virtualization solutions are a staple.

The timeline of this exploitation is particularly concerning. According to reports from Mandiant and GTIG, the zero-day was being actively used as early as mid-2024. The fact that it remained undetected until early 2026 points to a significant gap in the industry's ability to identify 'living off the land' techniques within niche enterprise software. During this period, UNC6201 was able to refine its malware delivery mechanisms and potentially pivot to other parts of the victim networks. This prolonged dwell time is a hallmark of state-sponsored operations, where the goal is to establish a permanent 'backdoor' that can be activated whenever intelligence requirements dictate.

From a technical perspective, CVE-2026-22769 allowed for unauthenticated remote code execution, one of the most severe classes of vulnerabilities. While Dell has since released patches and security advisories, the damage may already be done for many organizations. The challenge now lies in the remediation process. Simply patching the software is insufficient if the attackers have already established secondary persistence mechanisms, such as compromised service accounts or modified system binaries. Organizations using RecoverPoint for Virtual Machines must now engage in comprehensive threat hunting to ensure that no remnants of UNC6201's activity remain.

This incident fits into a broader pattern of Chinese APT activity that has increasingly targeted edge devices and infrastructure software. Groups like Volt Typhoon have previously demonstrated the ability to compromise routers, firewalls, and VPN concentrators to build covert networks. By moving further into the data center and targeting disaster recovery tools, Chinese hackers are demonstrating a sophisticated understanding of how modern enterprise IT is architected. They are no longer just looking for the easiest way in; they are looking for the most resilient way to stay in.

Looking ahead, the cybersecurity industry must reckon with the reality that disaster recovery and backup systems are now primary targets. These systems are the 'last line of defense' for organizations, and their compromise undermines the very concept of cyber resilience. CISOs should prioritize the hardening of these environments, implementing strict network segmentation and multi-factor authentication for all administrative access. Furthermore, the industry needs better visibility into the proprietary protocols used by these specialized tools. As the battle for network dominance moves deeper into the infrastructure stack, the ability to monitor and secure the 'un-monitorable' will become the next frontier in cybersecurity.