Inside the Bolt: How Chinese Hackers Turned a Dell Flaw into a Silent Digital Siege

On an ordinary morning in mid-2024, IT teams at global enterprises unknowingly found themselves vulnerable to a silent break-in. The culprit: a forgotten password, hardwired deep inside their trusted Dell RecoverPoint backup systems. What followed was not just a routine cyberattack, but a calculated infiltration by a China-linked group wielding a new digital weapon - GrimBolt - designed to seize the very systems meant to rescue companies in crisis.

Fast Facts

• Critical Flaw Exposed: Dell RecoverPoint for Virtual Machines harbored a hardcoded admin password, labeled CVE-2026-22769.
• China-Linked UNC6201: Hackers exploited the flaw, gaining total control over backup systems since at least mid-2024.
• GrimBolt Malware: A new, stealthy backdoor deployed to maintain persistent, undetected access.
• Disaster Recovery at Risk: Attackers targeted the very tools organizations rely on to recover from cyber disasters.
• Patch Urgently Required: Dell urges immediate updates to version 6.0.3.1 HF1 or newer; the flaw scores a maximum risk rating of 10.0.

The Anatomy of a Silent Takeover

The breach began with a single, unchangeable credential - an oversight by developers that handed attackers the keys to the kingdom. According to Google’s Threat Intelligence Group and Mandiant, the China-linked UNC6201 group used these credentials to slip into organizations’ disaster recovery systems, often the last line of defense in a crisis. Inside, they moved laterally, sometimes using techniques like “Ghost NICs” to mask their tracks and avoid detection.

Their goal was not quick theft, but long-term access. In September 2025, investigators noticed a shift: the attackers deployed GrimBolt, a custom backdoor engineered for speed and stealth. By modifying the backup appliance’s startup scripts, GrimBolt ensured it would survive reboots and remain ready for future operations - an almost invisible digital parasite.

Experts warn that this isn’t just an attack on data, but on organizational resilience itself. “Compromising resilience infrastructure is not opportunistic - it’s strategic,” said Shane Barney, CISO at Keeper Security. By controlling backup and recovery systems, attackers can dictate which data is restored after an incident - or sabotage recovery entirely. As Mayuresh Dani of Qualys noted, the attackers “understand modern VMware DR architectures and know how to live in them quietly.”

The root cause? A simple, all-too-human mistake: hardcoded credentials left in production software, a shortcut intended for testing that was never removed. Jeremiah Clark of Fenix24 points out that such oversights are often overlooked amid development pressures, but their consequences can be catastrophic.

What Now?

Dell’s emergency advisory urges all organizations to update their RecoverPoint software immediately. For those unable to patch right away, a security script offers temporary protection. Above all, experts stress the importance of keeping such critical systems isolated from the public internet and closely monitored.

The Bigger Picture

This incident is a stark reminder: in cybersecurity, the smallest oversight can open the largest doors. As attackers grow more patient and strategic, resilience infrastructure itself is now a prime target. For defenders, vigilance must extend beyond the perimeter - all the way to the code beneath their most trusted systems.

WIKICROOK

• Hardcoded credentials: Hardcoded credentials are usernames or passwords embedded in software code, posing a major security risk if discovered by attackers or unauthorized users.
• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Lateral movement: Lateral movement is when attackers, after breaching a network, move sideways to access more systems or sensitive data, expanding their control and reach.
• Disaster recovery (DR): Disaster recovery (DR) involves strategies and tools to restore IT systems and data after disruptions, such as cyberattacks, ensuring business continuity and minimal downtime.
• Risk score: A risk score quantifies the severity of a security vulnerability, helping organizations prioritize and address the most critical threats to their systems.