The China-linked threat group, known as UNC5174, is engaging in a new campaign targeting Linux systems using a variant of the SNOWLIGHT malware and an open-source tool named VShell. According to Sysdig researcher Alessandra Rizzo, this shift towards utilizing open-source tools reflects a strategy by threat actors to minimize costs and obfuscate their identity, making it increasingly challenging for analysts to attribute attacks.
Previously documented by Mandiant, UNC5174 exploited vulnerabilities in software like Connectwise ScreenConnect and F5 BIG-IP to deploy SNOWLIGHT, which functions as a downloader fetching a Golang tunneler known as GOHEAVY from a publicly accessible command-and-control framework called SUPERSHELL. The attacks also include the usage of GOREVERSE, a reverse shell backdoor designed in Golang that operates over Secure Shell (SSH).
France’s National Agency for the Security of Information Systems (ANSSI) reported observing tactics from UNC5174 that mirror those used in exploiting Ivanti security flaws. The agency stated that these intrusions typically utilize readily available open-source intrusion tools, reinforcing the sophistication of the threats without necessitating complex or expensive solutions.
Both SNOWLIGHT and VShell can also impact macOS systems and have been distributed in attacks using methods such as a fake Cloudflare authentication app. In a specific attack observed by Sysdig in January 2025, SNOWLIGHT acted as a dropper for VShell, a remote access trojan (RAT) favored by Chinese-speaking cybercriminals. The designers of this malware delivered it through a bash script, deploying binaries associated with both SNOWLIGHT and a tool called Sliver to ensure persistence and establish communication with the command-and-control server.
The endgame for such attacks is the deployment of VShell, allowing attackers to maintain remote control over compromised systems, which highlights the stealth and advanced methodologies employed by this threat group.
Recent insights also reveal attacks meticulously exfiltrating security flaws in Ivanti products to gain initial access, demonstrating a pattern observed across multiple sectors in numerous countries, including the United States and European nations.
The findings coincide with accusations from China against the U.S. National Security Agency (NSA), claiming sophisticated cyber assaults during international events like the Asian Winter Games, further escalating tensions surrounding state-sponsored cyber activities.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.