UNC5174, a suspected Chinese state-sponsored threat actor, has resurfaced in a stealthy espionage campaign targeting Linux systems across research institutions, government agencies, NGOs, and critical infrastructure sectors in Western and APAC countries. The campaign, active since at least November 2024, leverages a custom dropper dubbed SNOWLIGHT to deploy VShell, a fileless Remote Access Trojan (RAT) executed entirely in memory. The actors use phishing, domain impersonation (e.g., spoofed Cloudflare and Telegram domains), and new C2 infrastructure to evade detection and establish persistent access for espionage or access brokerage.
The attack chain begins with a malicious bash script that downloads two payloads: SNOWLIGHT and a Sliver implant. SNOWLIGHT loads VShell into memory using memfd_create and executes it via fexecve, masquerading as a kernel process. VShell then communicates with its C2 via WebSocket over HTTPS, allowing real-time, encrypted remote access. Sliver implants provide fallback persistence and additional C2 capabilities using protocols like mTLS and WireGuard.