The China-associated threat group UNC5174 has launched a new attack campaign. Leveraging a modified version of SNOWLIGHT malware and an open-source tool named VShell to infiltrate Linux systems.
According to Sysdig researcher Alessandra Rizzo, attackers increasingly rely on open-source tools for cost savings and concealment. This tactic allows them to mimic non-state actors and evade attribution. UNC5174, also known as Uteus or Uetus, has been linked to previous exploits involving Connectwise ScreenConnect and F5 BIG-IP software. These campaigns delivered SNOWLIGHT, which then retrieved a Golang tunneling tool named GOHEAVY via the SUPERSHELL C2 framework.
The campaign also involved GOREVERSE, a Golang-based reverse shell using SSH. France’s ANSSI noted similar intrusion methods, including the use of rootkits and public tools, in recent exploits of Ivanti CSA vulnerabilities like CVE-2024-8963 and CVE-2024-8190.
Both SNOWLIGHT and VShell are capable of targeting macOS. VShell has been disguised as a fake Cloudflare authenticator, with some samples uploaded to VirusTotal from China in October 2024.
In Sysdig’s January 2025 observation, SNOWLIGHT functioned as a dropper for VShell, a fileless RAT widely used among Chinese-speaking cybercriminals. While the initial access method is unclear, the attack started with a bash script (“download_backd.sh”) that deployed two binaries—dnsloger (SNOWLIGHT) and system_worker (Sliver)—for persistence and C2 communication.
The final payload, VShell, was delivered through a C2 request and enabled full remote access, including file transfer and command execution.
Sysdig warns that SNOWLIGHT and VShell’s stealth and use of WebSockets for C2 make them serious threats.
Meanwhile, TeamT5 reported that a Chinese hacking group exploited Ivanti flaws to deploy SPAWNCHIMERA malware across 20 nations, including the U.S., Japan, UAE, and Taiwan.
China also accused the U.S. NSA of launching cyberattacks during the Asian Winter Games, alleging repeated breaches of national infrastructure and personal data.
