UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell
April 16, 2025, 6:22 p.m.
Description
Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.
Tags
Date
- Created: April 16, 2025, 2:51 p.m.
- Published: April 16, 2025, 2:51 p.m.
- Modified: April 16, 2025, 6:22 p.m.
Indicators
- e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8
- c0838b1211d482d21ccb2c9cc9fb224d1f826474d496a76d21ca18fa2ef92bc1
- 8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38
- 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db
- www.bing-server.com
- wg.gooogleasia.com
- vs.gooogleasia.com
- mtls.sex666vr.com
- lin.telegrams.icu
- lin.huionepay.me
- lin.c1oudf1are.com
- ks.evil.gooogleasia.com
- btt.evil.gooogleasia.com
- evil.gooogleasia.com
- apib.googlespays.com
- account.gooogleasia.com
- sex666vr.com
- huionepay.me
- googlespays.com
- ciscocdn.com
- c1oudf1are.com
Additional Informations
- Technology
- Healthcare
- Energy
- Defense
- Government
- Canada
- United Kingdom of Great Britain and Northern Ireland
- United States of America