Chinese state-sponsored threat group UNC5174 has reemerged with a technically advanced cyber-espionage campaign, integrating a new open source tool (VShell) and deploying a revamped command and control (C2) infrastructure.
The Sysdig Threat Research Team first identified this activity in late January 2025, uncovering a malicious bash script used to download a series of payloads designed for persistence and in-memory execution a hallmark of modern fileless malware campaigns.
Technical Overview and Toolset Evolution
UNC5174, previously known for weaponizing the open source reverse shell tool SUPERSHELL, now leverages VShell, a recently developed RAT (Remote Access Trojan) notable for its flexibility and reputation in Chinese cybercriminal forums.
VShell’s developer is a native Chinese speaker, and community chatter on underground channels considers it “even better” than Cobalt Strike.
Its integration indicates a shift by Chinese APTs toward using open source tools for both cost efficiency and plausible deniability, further complicating attribution efforts.
At the heart of this campaign is the SNOWLIGHT malware, previously linked to attacks on F5 devices and spotlighted in France’s 2025 Cyber Threat Overview.
In this operation, SNOWLIGHT acts as a dropper on Linux systems, stealthily delivering the fileless VShell payload entirely in memory via the memfd_create syscall.
This approach enables execution without ever writing files to disk, allowing the malware to evade traditional detection methods.
The bash loader checks user privileges, strategically plants binaries for persistence, and abuses system cron and service configuration for re-execution.
Complementing this, UNC5174 employs additional payloads, notably the “system_worker” binary, identified as a Sliver implant, and “dnsloger,” the SNOWLIGHT malware itself, both engineered for deep system integration and C2 communication.
These components exhibit advanced techniques such as process masquerading (e.g., [kworker/0:2]), code obfuscation using tools like Gobfuscate and UPX, and robust defense evasion mechanisms.
Advanced C2 Infrastructure and Tactics
The unc5174 group has constructed an elaborate C2 architecture, prominently featuring domain squatting tactics.
Recent C2 domains include gooogleasia[.]com and sex666vr[.]com, with subdomains spoofing trusted brands like Cloudflare, Telegram, and Microsoft Online, facilitating phishing and social engineering activities.
Notably, SNOWLIGHT and VShell leverage WebSocket-based C2 channels over encrypted ports (such as 8443) to enable low-latency, real-time remote control and payload delivery, a less common and more evasive method than typical HTTP/S-based C2 communication.
Sliver implants were also observed communicating with subdomains via mTLS, WireGuard, and HTTPS, expanding the attack surface across multiple encrypted protocols.
Domain infrastructure frequently shifts between cloud and virtual hosting providers, with several domains resolving to Google Compute Engine instances in Hong Kong.
Sysdig and Falco provide updated detection rules to identify in-memory execution of fileless ELF binaries, large anomalous memory allocations, and suspicious activity involving memfd_create and fexecve syscalls.
Meanwhile, targeted organizations primarily research, technology, critical infrastructure, and NGOs in the US, UK, Canada, and the Asia-Pacific region face elevated risk from this campaign’s stealthy and persistent methods.
Key indicators identified in this campaign include:
| IoC Type | Value | Note |
|---|---|---|
| Domain | vs[.]gooogleasia[.]com | VShell Console C2 |
| Domain | gooogleasia[.]com, sex666vr[.]com | Core C2 Domains |
| IP Address | 34[.]96[.]239[.]183, 8[.]219[.]171[.]47 | C2 Hosting |
| SHA256 | e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8 | SNOWLIGHT |
| SHA256 | 8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38 | VShell (fileless) |
| SHA256 | 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db | Sliver Implant |
| URL | http://vs[.]gooogleasia[.]com:8443/?a=l64&h=vs.gooogleasia.com&t=ws_&p=8443 | VShell Downloader |
This campaign’s technical sophistication evidenced by custom tooling, fileless payloads, and dynamic C2 infrastructure signals an escalation in UNC5174’s capabilities and intent.
The group is expected to continue supporting espionage and access-brokering for the Chinese government, underscoring the urgent need for vigilant detection and robust response measures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
.){kind=link}