A new cyber campaign linked to Chinese threat actor UNC5174 is targeting Linux systems using a combination of SNOWLIGHT malware and a remote access trojan called VShell, reports The Hacker News. Researchers note that this operation relies heavily on open-source tools, which help threat actors lower costs and complicate attribution. UNC5174, previously tied to attacks involving ConnectWise and F5 vulnerabilities, now appears to be broadening its tactics to deploy fileless payloads and establish long-term access via custom bash scripts and reverse shell tools.The attack chain, uncovered by Sysdig in early 2025, starts with an unknown entry point and progresses through a malicious script designed to plant SNOWLIGHT binaries. These components help initiate communication with a command-and-control server and trigger the download of VShell. Once active, the RAT enables remote execution and file transfer, all while leveraging stealthy methods such as WebSockets and in-memory payload delivery to bypass detection.Additional reports from the French ANSSI and TeamT5 reinforce the scope of UNC5174’s operations, pointing to a pattern of exploiting known vulnerabilities in appliances from Ivanti and other vendors. The group’s tactics include deploying other open-source malware such as GOHEAVY and GOREVERSE, maintaining a low profile while executing targeted campaigns across multiple geographies and sectors. The targeting includes industries across Europe, Asia, and the U.S., with a focus on exploiting unpatched systems for initial access.
Related Events
Related Terms
AdwareYou can skip this ad in 5 seconds