TL;DR: A zero-day in Dell RecoverPoint for Virtual Machines was reportedly exploited since mid-2024 by Chinese-linked attackers, with Mandiant saying fewer than a dozen organisations are known to be affected and dwell time often exceeding a year, according to Swarmnetics. The case shows how low-visibility infrastructure and delayed detection extend the time attackers have to extract secrets and entrench access.
At a glance
What this is: Swarmnetics reports that a Dell RecoverPoint zero-day was exploited for months before discovery, with attackers using it to stay hidden, move quietly, and extract secrets.
Why it matters: For IAM and NHI teams, the key issue is that long dwell time turns exposed credentials, service access, and backup infrastructure into persistent compromise paths, not one-off events.
By the numbers:
- The 2024 State of Secrets Management Survey found that 88% of security professionals are concerned about secrets sprawl, with 49% of those in larger organisations described as "very concerned".
👉 Read Swarmnetics' analysis of the Dell RecoverPoint zero-day and Grimbolt activity
Context
Zero-day exploitation in infrastructure software matters because defenders often discover the problem only after attackers have already used it for persistence and quiet access. In this case, the security issue is not just the vulnerability itself but the long exposure window that allowed secret extraction and deeper network movement.
For identity and access programmes, this is a reminder that credentials, tokens, and backup-adjacent systems can become part of the attack path even when they are not the initial target. Low-visibility systems frequently fall between endpoint, IAM, and platform ownership, which makes them attractive to long-dwell operators.
Key questions
Q: What breaks when a zero-day gives attackers long-term access to recovery infrastructure?
A: The main failure is that recovery and replication systems often sit outside normal detection and identity review workflows, so attackers can harvest secrets and maintain access for months. Once that happens, patching the original vulnerability no longer removes the damage. Teams need to assume the foothold may already have been converted into credential exposure and persistence.
Q: Why are low-visibility systems such a problem for secrets governance?
A: Low-visibility systems can sit close to highly privileged service credentials while receiving less monitoring than endpoints or cloud workloads. That creates a gap where attackers can exploit the platform, extract secrets, and move laterally before defenders notice. Secrets governance fails when the systems capable of revealing credentials are not treated as governed assets.
Q: What do teams get wrong about patching after a stealthy intrusion?
A: They often treat patching as the end of the incident, when the harder problem is removing any persistence, stolen secrets, and hidden access paths already established. If a backdoor has been swapped in or the attacker has harvested credentials, patching the CVE only closes one door. Validation must include hunting for follow-on tooling and credential abuse.
Q: Who is accountable when secrets are exposed through compromised infrastructure software?
A: Accountability usually spans infrastructure owners, identity teams, and incident responders because the risk crosses software patching, credential governance, and detection coverage. Frameworks such as NIST CSF and NIST SP 800-53 expect clear ownership for protection, monitoring, and remediation. If no team owns the exposed secrets, the incident will be repeated in another form.
Technical breakdown
Why low-visibility systems become footholds for credential theft
Systems that sit outside routine endpoint telemetry often lack the monitoring depth needed to spot exploit activity early. Attackers use that gap to establish a foothold, then wait for opportunities to inspect configuration, harvest secrets, or identify adjacent trust relationships. When the target is infrastructure that supports recovery or replication, compromise can provide broad operational reach without triggering the same alerts as user-endpoint intrusion. The important technical point is that visibility, not just patch status, determines how long exploitation can continue unseen.
Practical implication: treat backup, replication, and recovery platforms as monitored assets with explicit detection coverage, not as maintenance systems outside normal security controls.
How backdoors sustain long dwell time after initial exploitation
A backdoor extends a successful exploit by giving the operator repeatable access without reusing the original vulnerability every time. More advanced backdoors can change code paths, alter signatures, or blend into expected administrative traffic, which makes conventional detection weaker. That persistence matters because the attacker can keep returning to collect secrets, map internal systems, and shift access laterally. The mechanism is less about speed and more about staying quiet long enough to convert one access point into durable operational presence.
Practical implication: build detections around unusual administrative behaviour, code drift, and post-exploit persistence patterns, not only around the initial CVE.
Why secrets extraction becomes the real prize in prolonged compromise
Once attackers have stable access, they can prioritise secrets because tokens, service credentials, and backup-adjacent keys often unlock more than a single system. Those credentials may reveal internal APIs, replication paths, or privileged service relationships that are not protected by user-centric controls. In identity terms, the compromise turns machine trust into a lateral movement mechanism. That is why long dwell time is so damaging: it allows attackers to convert an infrastructure vulnerability into broad access across NHI and operational systems.
Practical implication: map high-value secrets to the systems that can expose them and shorten their validity, scope, and reach wherever possible.
Threat narrative
Attacker objective: The attackers appear to be using the zero-day to maintain stealthy access, extract secrets, and preserve long-term espionage positioning inside targeted environments.
- Entry occurs through exploitation of a long-unpatched zero-day in Dell RecoverPoint for Virtual Machines, giving the attackers a low-visibility foothold in infrastructure software.
- Escalation follows as the operators maintain access over a long period, replace earlier tooling with a more difficult-to-detect backdoor, and move quietly through the environment to identify secrets.
- Impact is achieved when harvested secrets and persistent access support deeper intrusion, broader operational compromise, and extended espionage value across victim infrastructure.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Long dwell time is the control failure, not just late patching. This incident shows that patch management alone does not solve exposure when a vulnerability can sit undetected for months in low-visibility infrastructure. The governance gap is the absence of continuous monitoring around systems that can expose secrets or support recovery. Practitioners should treat sustained invisibility as a primary risk indicator, not a secondary symptom.
Secret extraction is the operational payoff of infrastructure compromise. Once attackers gain access to a recovery or replication platform, they may be closer to service credentials, API keys, and internal trust paths than defenders realise. That makes this more than a vulnerability story and more than a malware story. The real governance issue is whether identity-owned secrets are still protected when the platform that stores or exposes them is outside normal control coverage.
Low-visibility platforms need identity-grade oversight. Backup and recovery systems often sit between infrastructure teams and identity teams, which creates blind spots in ownership and detection. When those systems can reveal machine credentials, they should be governed like NHI-adjacent assets with explicit lifecycle, logging, and revocation requirements. Practitioners should close the ownership gap before attackers use it as an access bridge.
Grimbolt reflects the shift from simple persistence to adaptive persistence. A backdoor that changes after deployment is harder to match with static signatures and easier to keep alive under noisy conditions. That means defenders need behavioural detection, drift monitoring, and post-compromise validation rather than reliance on one-time remediation. The lesson is to design for persistence hunting, not just vulnerability closure.
Named concept: secret-exposure dwell window. This breach pattern combines delayed discovery, long-lived attacker access, and silent secret harvesting in the same environment. The wider the dwell window, the more likely attackers are to convert one foothold into multiple identity compromises. Practitioners should measure how long privileged secrets remain reachable from compromised infrastructure.
From our research:
- 88% of security professionals are concerned about secrets sprawl, with 49% of those in larger organisations described as "very concerned".
- The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes.
- Long-lived secrets are the problem, not just detection, which is why automation and lifecycle control matter more than one-off cleanup.
What this signals
Secret-exposure dwell window: when attackers can remain inside low-visibility infrastructure long enough to turn one foothold into repeated credential access, incident response becomes a lifecycle problem rather than a patching problem. That means IAM and PAM owners should measure how quickly privileged secrets can be discovered, revoked, and reissued after compromise, not just how fast software is patched.
For practitioners, the signal is clear: recovery platforms, replication systems, and backup tooling need the same governance attention as cloud control planes because they can expose machine identity material. The relevant standards lens is MITRE ATT&CK Enterprise Matrix for the intrusion pattern and NIST SP 800-53 Rev 5 Security and Privacy Controls for monitoring and access control.
A mature programme will also connect incident response with secrets lifecycle management through resources like Guide to the Secret Sprawl Challenge and 52 NHI Breaches Analysis, because the attacker value comes from what the infrastructure can reveal after compromise, not just from the initial exploit.
For practitioners
- Add detection coverage to recovery infrastructure Instrument backup and replication platforms with alerting for unusual administrative sessions, new binaries, and unexpected configuration changes, then route those events into the SOC alongside endpoint telemetry.
- Shorten the reach of exposed secrets Inventory credentials that can be accessed from infrastructure-adjacent systems, reduce their scope, and revoke or rotate them where long validity would let an intruder reuse them after initial exploitation.
- Separate operational recovery access from secret-bearing trust paths Review whether recovery tooling can surface service accounts, tokens, or API keys that should be isolated behind different administrative boundaries and stronger approval checks.
- Hunt for persistence, not just the CVE After remediation, search for post-exploit tooling, code drift, and replacement backdoors in the affected environment, because a patched vulnerability does not remove an established foothold.
- Map identity ownership for low-visibility platforms Assign clear owners for systems that can expose machine identities, and include them in access review, logging, and incident response playbooks rather than leaving them in infrastructure-only workflows.
Key takeaways
- This incident shows that infrastructure zero-days become identity incidents when attackers can extract secrets and preserve access for months.
- The scale signal is dwell time, not just the CVE score, because long-lived compromise gives attackers room to swap tools and deepen access.
- The limiting control is continuous visibility into low-visibility systems, combined with fast secret revocation and post-compromise persistence hunting.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0003 , Persistence; TA0008 , Lateral Movement | The article describes secret harvesting, long dwell time, and quiet movement through infrastructure. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is central when a zero-day hides inside low-visibility systems. |
| NIST SP 800-53 Rev 5 | SI-4 | System monitoring is needed to detect stealthy backdoors and post-exploit changes. |
| CIS Controls v8 | CIS-8 , Audit Log Management | Audit logging is necessary to spot hidden activity on systems that attackers try to keep quiet. |
Ensure logs from recovery systems are centralised, retained, and reviewed for signs of secret access or tooling replacement.
Key terms
- Zero-day: A vulnerability that is unknown to the vendor or has no broadly available fix when exploitation begins. For managed Apple fleets, the operational challenge is not only remediation speed but also whether the organisation can verify fleet-wide return to trusted state fast enough to matter.
- Dwell Time: Dwell time is the period between an attacker gaining access and defenders detecting or removing them. Shortening dwell time matters because most damage happens while the attacker remains unnoticed. In identity-led environments, reducing dwell time depends on visibility into access paths, privileges, and session behaviour.
- Backdoor Attack: A backdoor attack plants a hidden trigger in the training data so the model behaves normally until the trigger appears. Once activated, the model produces the attacker’s intended output. This is difficult to spot because ordinary validation can pass while the latent behaviour remains embedded.
- Secrets Exposure: Secrets exposure is the accidental or uncontrolled disclosure of credentials such as API keys, tokens, certificates, and service passwords. In NHI programs, it matters because a leaked secret often behaves like a live identity, creating immediate access risk until it is revoked or rotated.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- Timeline detail on the zero-day exploitation window and the organisations known to be affected.
- Vendor remediation guidance for version 6.0.3.1 HF1 and the extra steps required on older installations.
- Background on the Brickstorm-to-Grimbolt tooling shift and how the backdoor changed after deployment.
- Specific observations from Mandiant and Google Threat Intelligence on the UNC6201 cluster and related activity.
👉 Swarmnetics' full post covers the exploitation timeline, tooling shift, and remediation guidance.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management for practitioners who need a stronger control model. It helps teams connect access, privilege, and lifecycle decisions to the broader security programme.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org