Researchers uncovered more worrying details about a long-running cyber espionage campaign suspected to be backed by the Chinese government, exemplifying how such attacks often go undetected until they’ve already caused significant damage.

Google Threat Intelligence Group and Mandiant said the Chinese threat group UNC6201 has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The group overlaps with UNC5221, also known as Silk Typhoon, which has been burrowing into critical infrastructure and government agency networks undetected since at least 2022.

The zero-day exploitation marks an escalation from this particular cluster of actors.  State-sponsored attackers spent years implanting Brickstorm malware into networks before the campaign was finally detected last summer. By September, however, the attackers had replaced Brickstorm with Grimbolt, a more advanced malware that’s harder to detect, Google security researchers said Tuesday.

The zero-day vulnerability — CVE-2026-22769 — hinges on a hardcoded administrator password in Dell RecoverPoint for Virtual Machines that was pulled from Apache Tomcat. It carries a 10/10 CVSS rating. The Chinese threat group has been using the hardcoded password, which triggers the vulnerability and allows unauthenticated remote attackers to gain full system access with root-level persistence for at least 18 months, Google said. 

Dell Technologies disclosed and released a patch for the vulnerability Tuesday. A company spokesperson urged customers to follow guidance in its security advisory.

“We are aware of less than a dozen impacted organizations, but because the full scale of this campaign is unknown we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments,” Austin Larsen, principal analyst at GTIG, told CyberScoop.

When the Cybersecurity and Infrastructure Security Agency unveiled new details about the campaign in December, Google said dozens of U.S. organizations, not including downstream victims, had already been impacted by Brickstorm. 

“The actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage,” Larsen added.

The campaign — one of many concurrent efforts by China state-sponsored groups to embed themselves into networks for long-term access, disruptions and potential sabotage — remains a top area of concern for national security.

CISA, the National Security Agency and Canadian Centre for Cyber Security released new analysis on Brickstorm last week to share indicators and compromise that could help potential victims detect malicious activity on their networks.

Yet, the China-linked groups involved in this campaign have already moved on to Grimbolt, in some cases replacing older Brickstorm binaries with the new backdoor that’s more difficult to reverse engineer, according to Google.

Marci McCarthy, director of public affairs at CISA, told CyberScoop the agency will share further information on Wednesday.

Google’s fresh research on the China state-sponsored campaign demonstrates how the threat group’s tenacity, and ability to dwell undetected in networks longer than 400 days, keeps defenders and cyber authorities at a disadvantage.

The threat groups typically target edge applications and devices running on systems without endpoint detection and response, but researchers don’t know how attackers broke into the networks of the most recently discovered victims. 

Researchers only have a narrow view of the threat groups’ activities at large. 

“We suspect a significant portion of UNC5221 and UNC6201’s activity likely remains unknown, and there is a strong probability that they are developing or using undiscovered zero-days and malware,” Larsen said. “The most concerning aspect of this campaign is that additional organizations were likely compromised as part of this campaign and do not know it yet.”

The post Chinese hackers exploited a Dell zero-day for 18 months before anyone noticed appeared first on CyberScoop.

Cybersecurity authorities and threat analysts unveiled alarming details Thursday about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.

“State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.

Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.

“We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.

CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.

China state-sponsored attackers are primarily implanting Brickstorm into the networks of organizations in government, IT and legal services, and targeting edge devices, software as a service providers and business process outsourcers to gain access to downstream targets, according to officials and researchers.

Andersen declined to say how many government agencies have been impacted or the type of data stolen, but the scope of assumed impact is far greater than what’s been uncovered to date. “I think it’s a logical conclusion to assume that there are additional victims out there that we have not yet had the opportunity to communicate with,” he said.

CrowdStrike, which attributes the attacks to Warp Panda, and GTIG, which attributes the activity to UNC5221, both said the Brickstorm campaign goes back to at least 2022. Yet, the intrusions involving Brickstorm weren’t detected until last summer.

“Their infrastructure expansion, evolution of their tooling, and continued ability to exploit cloud misconfigurations all point to a campaign that remains highly active,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike.

CrowdStrike said it also observed Warp Panda deploy two previously unobserved implants called Junction and GuestConduit. All of the malware is written in Golang. 

The threat group has stolen configuration data, identity metadata, documents and emails on topics that align with China’s government interest, Meyers said.

“While we haven’t observed destructive follow-on actions, the intelligence value alone is significant. Access to this kind of cloud-resident data gives a state actor the ability to map infrastructure, study dependencies, and position themselves for future operations,” he added. “That’s what makes this campaign so dangerous, it’s espionage with strategic depth.”

CISA provided details about a 2024 attack on an unnamed organization’s internal network as an example of the threat group’s operations, but much remains unknown. Authorities still don’t know key details about how attackers obtained initial access in that incident, when the webshell was implanted or how they obtained credentials for a second account to move laterally to a domain controller using remote desktop protocol.

Attackers involved in that incident copied the organization’s Active Directory database, obtained credentials for a managed service provider account and used those credentials to move from the internal domain controller to the VMware vCenter server. Officials said the attackers also jumped multiple servers to steal cryptographic keys and elevated privileges, which allowed them to deploy Brickstorm malware in the server’s directory. 

The attacks revive and amplify enduring concerns about China’s cyberespionage activity, mirroring other campaigns with similar objectives based on living-off-the-land techniques attributed to other prominent China state-sponsored threat groups.

“Compared to past China-nexus efforts, this campaign represents an evolution of tradecraft,” Meyers said. “It shows a deep understanding of multi-cloud environments and the identity fabrics that tie them together.”

A sustained lack of insight into China’s already achieved goals and what these persistent backdoors might ultimately allow attackers to accomplish down the line is startling.

The Brickstorm campaign effectively blends objectives spanning espionage, intellectual property theft and persistent access that attackers could use for follow-on malicious activity, Larsen said.

The nation-state attackers are also remarkably stealth, exploiting gaps in networks where detection tools can’t be deployed and prioritizing the compromise of perimeter and remote access infrastructure where log retention is often insufficient to determine the initial access vector, he added. 

“Identifying this activity is exceptionally difficult because it targets appliances and edge devices that are often poorly inventoried and unmonitored,” Larsen said. “This level of operational security and the focus on ‘unmanageable’ devices places it among some of the most evasive nation-state activities we track.”

The post Officials warn about expansive, ongoing China espionage threat riding on Brickstorm malware appeared first on CyberScoop.