Chinese Hackers Lurked in US Systems for 400 Days Using a Secret Dell Backdoor Nobody Knew About episode artwork

EPISODE · Feb 18, 2026 · 4 MIN

Chinese Hackers Lurked in US Systems for 400 Days Using a Secret Dell Backdoor Nobody Knew About

from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey there, I'm Ting, and welcome back to Digital Dragon Watch. Let me cut right to it because this week's China cyber news is absolutely wild. So picture this: somewhere around mid-2024, a Chinese state-backed group called UNC6201 found a critical vulnerability in Dell RecoverPoint for Virtual Machines and just... kept it secret. For nearly two years. They exploited CVE-2026-22769, which is basically a hardcoded administrator password that Dell pulled from Apache Tomcat. It's a perfect ten on the severity scale, and these guys have been using it to burrow into dozens of US organizations without anyone noticing. Here's where it gets spicy. Google's Mandiant team discovered these attackers deployed something called Brickstorm, a nasty backdoor that sits on appliances without traditional security tools. The clever part? By September last year, UNC6201 swapped Brickstorm out for something even sneakier called Grimbolt. This new malware is written in C-Sharp and compiles directly to machine code, making it nearly impossible to analyze statically. It's like watching a magician improve their sleight of hand. But the real innovation here is how they're moving through networks. Mandiant observed UNC6201 creating what researchers are calling Ghost NICs—phantom network interface cards on VMware virtual machines. Imagine adding invisible doors to someone's house so you can slip in and out without anyone noticing. They're also deploying something called Slaystyle, which is a web shell, giving them multiple backdoors into victim networks. Now here's the government response. CISA, the NSA, and Canada's Centre for Cyber Security have all jumped in with indicators of compromise and detailed analysis. They're basically saying to anyone running these Dell systems: patch immediately. Dell finally disclosed this on Tuesday after the fact, which tells you how long this vulnerability has been flying under the radar. What's terrifying is that researchers suspect UNC6201 overlaps significantly with UNC5221, also known as Silk Typhoon. These aren't random hackers—these are suspected Chinese government-backed operations focused on long-term espionage and potentially sabotage of critical infrastructure. The kicker? Mandiant estimates there are probably way more victims who don't even know they've been compromised yet. The dwell time in some networks exceeded four hundred days. That's over a year of undetected access to critical US systems. Experts are saying the same thing: patch everything, implement network segmentation, and get endpoint detection and response tools on edge devices. This campaign is a masterclass in patient, persistent espionage. Thanks for tuning in to Digital Dragon Watch. Make sure you subscribe for next week's alert. This has been a Quiet Please production. For more, check out quietplease dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOt This content was created in partnership and with the help of Artificial Intelligence AI.

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey there, I'm Ting, and welcome back to Digital Dragon Watch. Let me cut right to it because this week's China cyber news is absolutely wild. So picture this: somewhere around mid-2024, a Chinese state-backed group called UNC6201 found a critical vulnerability in Dell RecoverPoint for Virtual Machines and just... kept it secret. For nearly two years. They exploited CVE-2026-22769, which is basically a hardcoded administrator password that Dell pulled from Apache Tomcat. It's a perfect ten on the severity scale, and these guys have been using it to burrow into dozens of US organizations without anyone noticing. Here's where it gets spicy. Google's Mandiant team discovered these attackers deployed something called Brickstorm, a nasty backdoor that sits on appliances without traditional security tools. The clever part? By September last year, UNC6201 swapped Brickstorm out for something even sneakier called Grimbolt. This new malware is written in C-Sharp and compiles directly to machine code, making it nearly impossible to analyze statically. It's like watching a magician improve their sleight of hand. But the real innovation here is how they're moving through networks. Mandiant observed UNC6201 creating what researchers are calling Ghost NICs—phantom network interface cards on VMware virtual machines. Imagine adding invisible doors to someone's house so you can slip in and out without anyone noticing. They're also deploying something called Slaystyle, which is a web shell, giving them multiple backdoors into victim networks. Now here's the government response. CISA, the NSA, and Canada's Centre for Cyber Security have all jumped in with indicators of compromise and detailed analysis. They're basically saying to anyone running these Dell systems: patch immediately. Dell finally disclosed this on Tuesday after the fact, which tells you how long this vulnerability has been flying under the radar. What's terrifying is that researchers suspect UNC6201 overlaps significantly with UNC5221, also known as Silk Typhoon. These aren't random hackers—these are suspected Chinese government-backed operations focused on long-term espionage and potentially sabotage of critical infrastructure. The kicker? Mandiant estimates there are probably way more victims who don't even know they've been compromised yet. The dwell time in some networks exceeded four hundred days. That's over a year of undetected access to critical US systems. Experts are saying the same thing: patch everything, implement network segmentation, and get endpoint detection and response tools on edge devices. This campaign is a masterclass in patient, persistent espionage. Thanks for tuning in to Digital Dragon Watch. Make sure you subscribe for next week's alert. This has been a Quiet Please production. For more, check out quietplease dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOt This content was created in partnership and with the help of Artificial Intelligence AI.

NOW PLAYING

Chinese Hackers Lurked in US Systems for 400 Days Using a Secret Dell Backdoor Nobody Knew About

0:00 4:04

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

No similar episodes found.

No similar podcasts found.

Frequently Asked Questions

How long is this episode of Digital Dragon Watch: Weekly China Cyber Alert?

This episode is 4 minutes long.

When was this Digital Dragon Watch: Weekly China Cyber Alert episode published?

This episode was published on February 18, 2026.

What is this episode about?

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey there, I'm Ting, and welcome back to Digital Dragon Watch. Let me cut right to it because this week's China cyber news is absolutely wild. So picture this: somewhere around...

Can I download this Digital Dragon Watch: Weekly China Cyber Alert episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!