{"id":60190,"date":"2026-02-18T00:19:44","date_gmt":"2026-02-18T00:19:44","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/"},"modified":"2026-02-18T00:19:44","modified_gmt":"2026-02-18T00:19:44","slug":"china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/","title":{"rendered":"China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#8216;ghost NICs&#8217; to avoid detection"},"content":{"rendered":"<p>China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It&#8217;s all part of a long-running effort to backdoor infected machines for long-term access, according to Google&#8217;s Mandiant incident response team.<\/p>\n<p>The US government and Google first warned about this campaign last year after <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/09\/24\/google_china_spy_report\/\">detecting Brickstorm backdoors<\/a> in dozens of critical US networks.<\/p>\n<p>Dell <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.dell.com\/support\/kbdoc\/en-us\/000426773\/dsa-2026-079\">disclosed and patched<\/a> the critical flaw (CVE-2026-22769) on Tuesday \u2013 but noted that miscreants had found and exploited the bug before it issued a fix.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;We have received a report of limited active exploitation of this vulnerability,&#8221; a Dell spokesperson told <em>The Register<\/em>. &#8220;Customers are urged to immediately implement one of the remediations detailed&#8221; in the advisory.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>According to Mandiant and the Google Threat Intelligence Group, which also published a security alert on Tuesday about the Dell zero-day, the suspected PRC-linked intruders exploited CVE-2026-22769 to deploy malware including Brickstorm and a separate backdoor tracked as Grimbolt, and in some cases replaced older Brickstorm binaries with Grimbolt, while also creating \u201cGhost NICs\u201d on virtual machines to enable stealthy network pivoting.<\/p>\n<p>&#8220;Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt,&#8221; <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc6201-exploiting-dell-recoverpoint-zero-day\">said<\/a> Google threat hunters Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr, and Rich Reece.<\/p>\n<blockquote class=\"pullquote\" readability=\"7\">\n<p>Because the full scale of this campaign is unknown, we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments<\/p>\n<\/blockquote>\n<p>When asked about the scope of exploitation, Mandiant Consulting manager Reece, who co-authored the report, said Mandiant knows of &#8220;less than a dozen&#8221; organizations affected by CVE-2026-22769. &#8220;But because the full scale of this campaign is unknown, we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments,&#8221; he told <em>The Register<\/em>.<\/p>\n<h3 class=\"crosshead\">New and improved backdoor<\/h3>\n<p>While the earlier versions of the Brickstorm backdoor were written in Go, and later Rust, it appears the attacker replaced these binaries with Grimbolt in September 2025, according to Mandiant.&nbsp;<\/p>\n<p>Grimbolt, written in C#, uses native ahead-of-time (AOT) compilation to translate programming language code into native machine code before the application runs. It&#8217;s also packed with UPX, an executable packer that compresses the native binary files produced by AOT.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>These features make the malware less likely to raise any flags via static analysis, and enhance performance on resource-constrained appliances.<\/p>\n<p>Grimbolt also provides the same remote shell capability and uses the same command and control infrastructure as the earlier Brickstorm malware.<\/p>\n<p>&#8220;UNC6201 established Brickstorm and Grimbolt persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor,&#8221; the Googlers reported. &#8220;This shell script is executed by the appliance at boot time via rc.local.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Plus, they note, the IR team discovered the Dell zero-day while investigating a victim&#8217;s environment that had been backdoored by Brickstorm and Grimbolt.&nbsp;<\/p>\n<p>Security analysts spotted &#8220;multiple web requests&#8221; to vulnerable appliances using the username &#8220;admin&#8221; and directed to the installed Apache Tomcat Manager.&nbsp;<\/p>\n<p>Dell RecoverPoint for Virtual Machines uses Apache Tomcat as its web server, and the security sleuths soon discovered that the attackers had been exploiting a hardcoded password in Apache Tomcat to then deploy a malicious WAR file containing a Slaystyle web shell.<\/p>\n<p>&#8220;This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.&#8221;<\/p>\n<p>Additionally, after abusing the bug to exploit the Dell appliances, UNC6201 then created &#8220;ghost NICs&#8221; \u2013 hidden, temporary network ports on existing virtual machines running on an ESXi server \u2013 to burrow deeper into victims&#8217; VMware virtual infrastructure.<\/p>\n<p>VMware did not immediately respond to <em>The Register<\/em>&#8216;s inquiries.<\/p>\n<p>The US Cybersecurity and Infrastructure Security Agency and CrowdStrike <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/12\/04\/prc_spies_brickstorm_cisa\/\">both previously warned<\/a> that Chinese attackers were targeting organizations&#8217; VMware environments and using Brickstorm for persistent access.<\/p>\n<p>&#8220;State-sponsored actors are not just infiltrating networks,&#8221; CISA&#8217;s Nick Andersen, executive assistant director for cybersecurity, said in December. &#8220;They&#8217;re embedding themselves to enable long term access, disruption, and potential sabotage.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2026\/02\/18\/dell_0day_brickstorm_campaign\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Full scale of infections remains &#8216;unknown&#8217; China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It&#8217;s all part of a long-running effort to backdoor infected machines for long-term access, according to Google&#8217;s Mandiant incident response team.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-60190","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#039;ghost NICs&#039; to avoid detection 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#039;ghost NICs&#039; to avoid detection 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-18T00:19:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#8216;ghost NICs&#8217; to avoid detection\",\"datePublished\":\"2026-02-18T00:19:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/\"},\"wordCount\":730,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/\",\"name\":\"China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2026-02-18T00:19:44+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#8216;ghost NICs&#8217; to avoid detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/","og_locale":"en_US","og_type":"article","og_title":"China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-02-18T00:19:44+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#8216;ghost NICs&#8217; to avoid detection","datePublished":"2026-02-18T00:19:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/"},"wordCount":730,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/","url":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/","name":"China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2026-02-18T00:19:44+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aZVFseu8u7GE0W3jRm_aawAAAYU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/china-linked-snoops-have-been-exploiting-dell-0-day-since-mid-2024-using-ghost-nics-to-avoid-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"China-linked snoops have been exploiting Dell 0-day since mid-2024, using &#8216;ghost NICs&#8217; to avoid detection"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60190"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60190\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}