A Chinese state-sponsored threat group known as “UNC5174” has been observed using advanced techniques and open source software to target victims in a stealthy manner.
Cloud security firm Sysdig released new research highlighting UNC5174’s latest campaign, which began in late January. The group utilized a modified version of its “Snowlight” malware and a new open source tool called “VShell,” comparable to the widely known Cobalt Strike penetration testing framework.
Alessandra Rizzo, a threat detection engineer at Sysdig, emphasized the strategic benefits of using tools like VShell in her analysis.
“In the ‘2024 Global Threat Year-in-Review,’ we noted a rise in the use of open source tools by threat actors due to their cost-effectiveness and the ability to mask attribution. These tools help adversaries blend in with non-state actors and less sophisticated hackers, making them harder to track,” Rizzo explained. “This approach appears to be a defining characteristic of UNC5174, which has operated quietly over the past year despite ties to the Chinese government.”
Rizzo said that while such tactics are frequently associated with Chinese actors, they’re part of a broader global trend of using open source software and “living off the land” (LOTL) methods.
The Chinese UNC5174 Attack Strategy
Identified previously by Mandiant, UNC5174 is thought to be a Chinese government contractor focusing on Western targets, including the U.S., U.K., and Canada. According to Rizzo, their targets include “research institutions, government bodies, think tanks, and tech companies.”
“UNC5174 also strikes NGOs in the Asia-Pacific and businesses within energy, defense, and healthcare critical infrastructure sectors,” she noted.
The group’s tools include Snowlight—first profiled by Mandiant—a Sliver-based implant used for remote access, and VShell, an open source backdoor that enables remote control of infected systems.
VShell stands out due to its fileless nature. Rizzo pointed out that “the malicious code runs entirely in memory, avoiding the disk and complicating traditional antivirus detection.”
The group typically initiates attacks by gaining access, dropping Snowlight and Sliver, and then deploying VShell as a secondary command-and-control (C2) channel.
Snowlight serves multiple roles in these attacks. “It demonstrates detailed knowledge of Linux internals, persistence, and evasion techniques,” Rizzo wrote.
Another noteworthy element is the use of WebSockets for C2 communications. Though more complex, researchers believe it’s used for stealth and because it enables encrypted, real-time data transfers to compromised devices.
What Defenders Should Know
Sysdig’s research warns that UNC5174’s use of Snowlight and VShell reflects a “higher level of technical capability.”
In her findings, Rizzo noted, “The absence of prior public reporting on VShell usage by this actor is significant, especially since the campaign dates back to at least November 2024. We believe UNC5174 will continue expanding its toolkit, maintaining stealth, and targeting entities in key nations on behalf of the Chinese government.”
To support defenders, Sysdig has provided YARA rules, Falco configurations, and indicators of compromise.
Sysdig cybersecurity strategist Crystal Morin told Dark Reading that publicizing this campaign is critical because the threat actor remains active.
“They’ve done a great job staying hidden, which makes this extremely troubling,” she said. “Our goal is to alert defenders and help them start identifying signs of VShell.”
