UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell
Essential information
Description
Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.