Unpatchable? How Chinese Hackers Hid in Dell VMs for 2 Years Using "Magic Packets"

CVE-2026-22769 (CVSS 10.0) exposes a critical flaw in Dell RecoverPoint for Virtual Machines appliances, exploited by Chinese state-sponsored group UNC6201 for nearly two years. The attack chain begins with hardcoded Apache Tomcat credentials, enabling deployment of the SLAYSTYLE web shell for root access. Attackers then pivot to advanced persistence techniques: 'Ghost NICs' (hot-plugged virtual network adapters bridged to separate VLANs to bypass firewalls) and 'Magic Packets' (Single Packet Authorization via iptables manipulation to hide backdoor ports from scanners). A new backdoor, GRIMBOLT, written in C# with Native AOT compilation, evades EDR tools by eliminating the JIT translation layer that security tools typically inspect. IOCs, remediation steps, and behavioral hunting queries are provided for defenders.