In the evolving landscape of cybersecurity threats, a notable development has emerged involving the China-linked threat actor known as UNC5174. This group has recently been linked to a sophisticated campaign utilizing a modified version of a known malware called SNOWLIGHT, coupled with a new open-source tool termed VShell to target Linux systems. The implications of this shift highlight a concerning trend among cybercriminals who increasingly prefer using open-source tools as part of their arsenal.
Alessandra Rizzo, a researcher at Sysdig, emphasized in a report shared with The Hacker News that this tactic is part of a broader strategy: “Threat actors are increasingly using open source tools for cost-effectiveness and obfuscation. This allows them to blend in with non-state-sponsored adversaries, making attribution significantly more challenging.” Such camouflage tactics raise alarms within the cybersecurity community, particularly because groups like UNC5174 have maintained a low profile for the past year, reportedly operating under the aegis of the Chinese government.
UNC5174, also referred to as Uteus, was previously documented by Mandiant, a Google-owned cybersecurity firm, as exploiting vulnerabilities in well-known software such as Connectwise ScreenConnect and F5 BIG-IP. Through these exploits, the group deployed a C-based ELF downloader named SNOWLIGHT, which serves to retrieve a Golang tunneler identified as GOHEAVY, leveraging a publicly available command-and-control framework known as SUPERSHELL. This layered approach not only demonstrates the group’s technical sophistication but also their strategic decision to utilize widely accessible tools that complicate detection and mitigation efforts.
In recent attacks, additional tools like GOREVERSE, a reverse shell backdoor also written in Golang and capable of operating over Secure Shell (SSH), were reportedly deployed, underscoring the group’s preference for versatile and modular tools. The French National Agency for the Security of Information Systems (ANSSI) noted in its 2024 Cyber Threat Overview report a disturbing similarity in tactics employed by attackers mimicking UNC5174, particularly in exploiting security flaws within Ivanti Cloud Service Appliance (CSA). Vulnerabilities such as CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 have been exploited to execute commands and take control of systems.
The ANSSI described the intrusion set as “moderately sophisticated and discreet,” characterized by the use of open-source intrusion tools and publicly reported rootkit code. Such instances highlight the shifting dynamics in cyber warfare, where even less sophisticated actors can harness advanced techniques to achieve their objectives.
It is critical to note the capabilities of both SNOWLIGHT and VShell, which are reportedly able to potentially target Apple macOS systems as well. VShell has even been distributed as a fraudulent Cloudflare authenticator application as part of an undisclosed attack chain, suggesting that attackers are diversifying their targets and methods of infiltration.
As observed by Sysdig, the attack chain identified in late January 2025 reveals that SNOWLIGHT functions as a dropper for a fileless, in-memory payload known as VShell. This remote access trojan (RAT) is widely utilized by cybercriminals who communicate in Chinese, indicating a potential regional or national characteristic to the threat actor’s operations. The mechanism of initial access for such attacks remains unclear, suggesting that further investigation is required to decipher how these systems are being breached initially.
The initial access specifically executes a malicious bash script designed to deploy binaries associated with SNOWLIGHT and Sliver, establishing a foothold for ongoing operations. This functionality embodies both stealth and persistence, facilitating communications with a command-and-control server. The culmination of these attacks culminates in VShell’s delivery via a specialized request to the C2 server, paving the way for further exploitation and control.
Rizzo highlighted the significant risks posed by SNOWLIGHT and VShell, asserting that these tools enable attackers to execute arbitrary commands and manage files on compromised systems. The implementation of WebSockets for command and control further enhances the stealthiness of the operations, making detection and response even more challenging.
Recent disclosures have also indicated that TeamT5, a Taiwanese cybersecurity firm, uncovered that a China-nexus hacking group exploited flaws in Ivanti appliances to gain access and deploy the SPAWNCHIMERA malware. This string of attacks affected various sectors across nearly 20 nations including Austria, Australia, France, Japan, and the United States, amongst others.
These findings coincide with allegations from China that the U.S. National Security Agency (NSA) has engaged in extensive cyber espionage activities, particularly surrounding the Asian Winter Games in February 2025. According to the National Computer Virus Emergency Response Center (CVERC) in China, over 170,000 cyber attacks have been attributed to the U.S. within a specific timeframe during the Games, leading to heightened tensions and accusations regarding international cyber operations.
Indeed, the complexities of modern cyber warfare are illustrating an intricate web of attacks, counter-attacks, and technological advancements. As governments and organizations seek to bolster their defenses, understanding the motivations and methodologies of sophisticated threat actors like UNC5174 will be crucial in the ongoing battle against cybercrime.