UNC6201

Also known as: UNC6201

UNC6201 is a sophisticated Chinese state-sponsored hacking group that exploited CVE-2026–22769, a critical vulnerability in Dell RecoverPoint for Virtual Machines appliances, to establish a persistent presence. They deployed a permanent backdoor using techniques like Single Packet Authorization and “Port Knocking.” Unlike typical hackers who conceal their activities within the Operating System, UNC6201 operated at the Virtualization Layer to avoid detection.

🌍 Country China

Introduction

UNC6201 is a sophisticated Chinese state-sponsored hacking group that exploited CVE-2026–22769, a critical vulnerability in Dell RecoverPoint for Virtual Machines appliances, to establish a persistent presence. They deployed a permanent backdoor using techniques like Single Packet Authorization and “Port Knocking.” Unlike typical hackers who conceal their activities within the Operating System, UNC6201 operated at the Virtualization Layer to avoid detection.

Activities and Tactics

Country of Origin: 🇨🇳 China

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Backdoor.Oldrea
  • Hacking Team UEFI Rootkit
  • Xploit

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

References pending cataloguing.