Chinese state-backed hacking group UNC5174 has recently resurfaced with a new campaign using a memory-only remote access Trojan that bypasses traditional detection methods. This group has been silent for a year before launching this new operation, which involves deploying VShell, a powerful remote access Trojan, through a modified version of their Snowlight malware.
The use of VShell is significant because it operates completely in memory, evading traditional endpoint security tools that rely on file-based scanning. This tactic makes it challenging to detect the malware, as it never touches the disk and is executed in a way that disguises it as a legitimate kernel process.
The campaign, first detected in January 2025, targets Linux-based systems and begins with a malicious bash script that delivers multiple payloads, including Snowlight and the Sliver post-exploitation toolkit. Snowlight acts as a dropper, loading VShell directly into memory using the Linux syscall memfd_create. The malware disguises itself as a kernel worker thread to avoid detection.
One of the innovative aspects of this campaign is the use of WebSockets for communication, which provides encrypted, real-time communication over HTTPS. This method makes it difficult for firewalls and intrusion detection systems to monitor the traffic, adding another layer of complexity to the operation.
The infrastructure of UNC5174 includes domain names that mimic well-known services like Cloudflare, Google, and Telegram, a tactic known as domain squatting. The group’s C2 servers are hosted on Google Compute Engine virtual machines, further adding to the obfuscation of their activities.
UNC5174 is suspected to be a Chinese government contractor with a history of targeting Western governments, think tanks, and critical infrastructure organizations. The group’s motives seem to revolve around intelligence gathering for the Chinese state and potentially selling access to compromised environments on the dark web.
One striking feature of this campaign is the high degree of customization involved in deploying VShell. The malware is integrated tightly with Snowlight and tailored to UNC5174’s specific tactics, techniques, and procedures. This customization not only reduces the chances of replication by other threat actors but also makes attribution more challenging.
Despite the sophistication of the campaign, security researchers are developing behavioral rules to detect VShell deployments. These rules monitor for memory-only execution, suspicious memory allocations, and specific syscalls typical of fileless malware. This proactive approach helps security teams identify and respond to potential threats proactively.
The UNC5174 campaign is ongoing, with new indicators of compromised and spoofed domains emerging continuously. Security teams are advised to remain vigilant and monitor for any suspicious activity, anomalous memory usage patterns, and stealthy service installations across Linux environments to mitigate the risks associated with this sophisticated cyber threat.