Chinese APTs: Ghost NICs, GRIMBOLT, and Evolved BPFdoor Target Critical Infrastructure

On February 18, 2026, Mandiant (Google Cloud), Palo Alto Networks Unit 42, and Rapid7 released convergent analyses detailing Chinese malware and backdoors engineered for long-term persistence. While the findings do not confirm a single coordinated operation, they document a tactical shift toward deep persistence within critical infrastructure. Targets include telecommunications backbones, Southeast Asian military networks, and VMware/Dell edge appliances. Documented techniques range from runtime machine code compilation to hidden virtual network interfaces and kernel-level packet filtering.

GRIMBOLT and Runtime Compilation Architecture

Mandiant’s disclosure focuses on the UNC6201 cluster, which operates with a suspected nexus to the PRC and has exploited a zero-day vulnerability in Dell RecoverPoint appliances since 2024. The initial access vector remains unconfirmed. This exploitation enabled the deployment of GRIMBOLT, a backdoor whose architecture bypasses the core assumptions of automated static analysis.

GRIMBOLT is not distributed as a precompiled executable; instead, the code is transformed directly into machine code immediately before execution. This mechanism, documented by Mandiant, reduces the detection surface for static analysis engines that scan standard compiled files and optimizes performance on resource-constrained devices—a critical feature for targeting edge appliances.

Persistence is stabilized through high-precision technical maneuvers. Operators created "Ghost NICs"—virtual network interface cards hidden within VMware infrastructure—to facilitate network pivoting that avoids triggering standard topology controls. They also implemented Single Packet Authorization (SPA) via iptables. These cryptographically authenticated single packets open communication ports only upon valid transmission, rendering the C2 channel indistinguishable from background network noise for monitoring systems based on volume or patterns.

"Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual infrastructure, including the creation of 'Ghost NICs' [i.e., Network Interface Cards] for stealthy network pivoting and the use of iptables for Single Packet Authorization (SPA)" — Mandiant/Google GTIG researchers

AppleChris and MemFun: In-Memory Persistence in Military Networks

Palo Alto Networks Unit 42 documented the activities of CL-STA-1087, a Chinese APT active in Southeast Asian military networks, involving the deployment of two backdoors designed for prolonged resilience. AppleChris establishes and maintains covert access on compromised Windows systems, communicating with C2 infrastructure via dynamic resolution techniques that render domain blocking ineffective; the command server changes its address in response to operator-controlled DNS queries.

Documented capabilities of AppleChris include remote command execution, file enumeration, and persistent monitoring of the compromised host. MemFun, a complementary modular backdoor, operates entirely in memory. It utilizes reflective DLL loading to execute functional modules without writing artifacts to disk, employing a loader disguised as "GoogleUpdate.exe" to exploit semantic legitimacy and avoid heuristic flagging.

Unit 42 also identified Getpass, a credential harvesting tool. The source does not specify if this is a modified Mimikatz variant optimized for automated extraction from lsass.exe, nor does it provide further details on its internal architecture.

Evolved BPFdoor: Hidden Triggers in HTTPS Traffic

Rapid7 detected evolved variants of BPFdoor—a backdoor known since 2021—within telecommunications backbone infrastructure. These new variants implement a sophisticated activation mechanism: attackers pad HTTPS requests so that a specific marker lands exactly at the 26th-byte offset of the data structure inspected by the kernel filter. This precision allows the trigger to remain hidden within seemingly legitimate encrypted flows that pass through firewalls and proxies without recognizable application-layer anomalies.

The documented capabilities of these variants include HTTPS triggers, proxy-aware command delivery, ICMP control signals, and kernel-level packet filtering via the Berkeley Packet Filter (BPF). Rapid7 explicitly described the resulting architecture as a "persistent access layer designed not simply to breach networks, but to inhabit them."

Definitive attribution to a specific APT group has not been confirmed for Rapid7’s telecommunications cluster. The source does not specify operational links between this cluster and UNC6201 or CL-STA-1087.

Remediation and Response

These convergent findings necessitate specific actions across three documented fronts. For Dell RecoverPoint appliances, the source does not specify available patches for the CVE-2026-22769 zero-day; organizations utilizing these assets must verify remediation status directly with the vendor.

In VMware environments, detecting "Ghost NICs" requires network configuration audits that compare active virtual interfaces against authorized inventories, rather than relying on automated topology checks. Monitoring iptables on edge appliances must include a search for undocumented rules managing SPA.

For Windows networks, the presence of loaders with semantically legitimate names like "GoogleUpdate.exe" requires the verification of digital signatures and execution paths, rather than just filenames. Detecting MemFun necessitates behavioral in-memory monitoring, given the total absence of on-disk artifacts.

For HTTPS traffic in telecommunications backbones, detecting the BPFdoor trigger at the 26th-byte offset requires the inspection of kernel-level data structures rather than application content analysis, as the flows appear legitimate at the TLS level.

Detection Limits and Tactical Convergence

The three reports share a common pattern: the migration of persistence mechanisms below conventional detection thresholds. GRIMBOLT evades static analysis by eliminating the traditional compilation phase. Ghost NICs and SPA operate beneath standard network monitoring levels. MemFun eliminates disk artifacts entirely, and BPFdoor hides its trigger in kernel data structures inspected before TLS decryption.

While this convergence does not prove a single coordinated operation, it documents that distinct Chinese-linked APT groups have reached similar technical solutions for the same operational challenge: maintaining persistent access in networks where conventional EDR cannot be deployed or is easily evaded. The source does not specify whether GRIMBOLT replaces BRICKSTORM as part of a planned lifecycle or as a reaction to incident response efforts.

The exact geographic scale of the CL-STA-1087 military compromises is not quantified in the sources. Regarding the relationship between UNC6201 and UNC5221/Silk Typhoon, there are "notable overlaps," but their identity is not confirmed.

Information has been verified against the cited sources and is current as of the time of publication.

Sources

• https://www.helpnetsecurity.com/2026/02/18/exploited-dell-zero-day-cve-2026-22769-brickstorm-grimbolt/
• https://cybermagazine.com/news/palo-alto-networks-inside-the-winter-olympics-of-cybercrime
• https://www.securityweek.com/chinese-hackers-caught-deep-within-telecom-backbone-infrastructure/
• https://thehackernews.com/2026/06/fluttershell-backdoor-spreads-to-macos.html