Unpatchable? How Chinese Hackers Hid in Dell VMs for 2 Years Using "Magic Packets" Imagine locking your front door with the most expensive, heavy-duty biometric lock money can buy. You feel safe. But …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

CVE-2026-22769 (CVSS 10.0) exposes a critical flaw in Dell RecoverPoint for Virtual Machines appliances, exploited by Chinese state-sponsored group UNC6201 for nearly two years. The attack chain begins with hardcoded Apache Tomcat credentials, enabling deployment of the SLAYSTYLE web shell for root access. Attackers then pivot to advanced persistence techniques: 'Ghost NICs' (hot-plugged virtual network adapters bridged to separate VLANs to bypass firewalls) and 'Magic Packets' (Single Packet Authorization via iptables manipulation to hide backdoor ports from scanners). A new backdoor, GRIMBOLT, written in C# with Native AOT compilation, evades EDR tools by eliminating the JIT translation layer that security tools typically inspect. IOCs, remediation steps, and behavioral hunting queries are provided for defenders.