The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems.
“Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult,” Sysdig researcher Alessandra Rizzo said in a report shared with The Hacker News.
“This seems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government.”
UNC5174, also referred to as Uteus (or Uetus), was previously documented by Google-owned Mandiant as exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver a C-based ELF downloader named SNOWLIGHT, which is designed to fetch a Golang tunneler dubbed GOHEAVY from infrastructure tied to a publicly available command-and-control (C2) framework known as SUPERSHELL.
Also deployed in the attacks was GOREVERSE, a publicly available reverse shell backdoor written in Golang that operates over Secure Shell (SSH).
The French National Agency for the Security of Information Systems (ANSSI), in its Cyber Threat Overview report for 2024 published last month, said it observed an attacker employing similar tradecraft as that of UNC5174 to weaponize security flaws in Ivanti Cloud Service Appliance (CSA) such as CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 to gain control and execute arbitrary code.
“Moderately sophisticated and discreet, this intrusion set is characterized by the use of intrusion tools largely available as open source and by the – already publicly reported – use of a rootkit code,” the ANSSI said.
It’s worth noting that both SNOWLIGHT and VShell are capable of targeting Apple macOS systems, with the latter distributed as a fake Cloudflare authenticator application as part of an as-yet-undetermined attack chain, according to an analysis of artifacts uploaded to VirusTotal from China in October 2024.
In the attack chain observed by Sysdig in late January 2025, the SNOWLIGHT malware acts as a dropper for a fileless, in-memory payload called VShell, a remote access trojan (RAT) widely used by Chinese-speaking cybercriminals. The initial access vector used for the attack is presently unknown.
Specifically, the initial access is used to execute a malicious bash script (“download_backd.sh”) that deploys two binaries associated with SNOWLIGHT (dnsloger) and Sliver (system_worker), both of which are used to set up persistence and establish communications with a C2 server.
The final stage of the attack delivers VShell via SNOWLIGHT by means of a specially crafted request to the C2 server, thereby enabling remote control and further post-compromise exploitation.
“[VShell] acts as a RAT (Remote Access Trojan), allowing its abusers to execute arbitrary commands and download or upload files,” Rizzo said. “SNOWLIGHT and VShell pose a significant risk to organizations due to their stealthy and sophisticated techniques,” Sysdig said. “This is evidenced by the employment of WebSockets for command-and-control, as well as the fileless VShell payload.”
The disclosure comes as TeamT5 revealed that a China-nexus hacking group likely exploited security flaws in Ivanti appliances (CVE-2025-0282 and CVE-2025-22457) to gain initial access and deploy the SPAWNCHIMERA malware.
The attacks, the Taiwanese cybersecurity company said, targeted a multitude of sectors spanning nearly 20 different countries such as Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States.
The findings also dovetail with accusations from China that the U.S. National Security Agency (NSA) launched “advanced” cyber attacks during the Asian Winter Games in February, pointing fingers at three NSA agents for repeated attacks on China’s critical information infrastructure as well as against Huawei.
According to the National Computer Virus Emergency Response Center (CVERC), the U.S. is alleged to be behind more than 170,000 cyber attacks between January 26 and February 14, 2025, followed by Singapore, the Netherlands, Germany, and South Korea. In all, the Games’ information systems were targeted by 270,167 attacks from abroad.
“At the ninth Asian Winter Games, the U.S. government conducted cyberattacks on the information systems of the Games and the critical information infrastructure in Heilongjiang,” Foreign Ministry Spokesperson Lin Jian said. “This move is egregious for it severely endangers the security of China’s critical information infrastructure, national defense, finance, society, and production as well as its citizens’ personal information.”
