In an alarming development, a China-backed threat actor known as UNC5174 has been observed using stealthy tactics and open-source tools to conduct cyberattacks, evading detection from traditional security systems. This recent campaign, analyzed by Sysdig researchers, highlights a growing trend where state-sponsored attackers adopt open-source tools to blend in with non-state adversaries, making their activities harder to trace. The ongoing campaign, active since late January 2025, is primarily targeting organizations in Western countries, focusing on research institutions, government entities, think tanks, and critical infrastructure sectors.
the Attack and Tools Used
The Chinese state-sponsored group UNC5174 has been making waves in the cyber threat landscape by leveraging open-source tools and stealth techniques. Most notably, the threat actor employed a variant of the “Snowlight” malware, as well as “VShell,” a backdoor tool similar to Cobalt Strike, for remote access and control over compromised systems.
The key component of the attack is the use of fileless malware, meaning the malicious code operates entirely in memory, leaving no trace on the system’s disk. This makes it particularly difficult for traditional file-based scanning systems to detect the malicious activity. The group’s command-and-control (C2) infrastructure relies on WebSockets, an uncommon method that allows real-time, encrypted communication with compromised machines. The use of VShell and Snowlight signifies a sophisticated approach, utilizing advanced knowledge of system internals, Linux persistence techniques, and defense evasion strategies.
UNC5174’s targets include a broad range of organizations across the US, UK, Canada, and the Asia-Pacific region. Its malware arsenal is particularly concerning, as it demonstrates a high level of technical expertise. The group is primarily interested in espionage, with a clear focus on political, governmental, and technology organizations, as well as critical infrastructure in sectors like energy, defense, and healthcare.
Sysdig’s research underlines the importance of defending against these types of stealthy, fileless payloads and highlights the use of open-source tools as a cost-effective and obfuscation-friendly strategy for threat actors. The group is likely to continue employing these techniques to evade detection and achieve long-term persistence on compromised systems.
What Undercode Says:
UNC5174’s tactics reflect a growing trend among state-sponsored cyber actors to shift away from traditional malware-based attacks toward more subtle, open-source-based methods. By using tools like VShell, which is freely available and not widely associated with advanced nation-state actors, the group lowers the barriers for detection and attribution. This makes it harder for security teams to differentiate between low-level script kiddies and highly organized state-backed adversaries.
The reliance on VShell, in particular, is indicative of the group’s efforts to adopt a more flexible and less detectable approach to C2 communications. The use of WebSockets as a C2 channel, while less efficient than more traditional methods, serves a strategic purpose by blending the traffic with legitimate communication protocols, further complicating detection.
Moreover, the choice of targeting critical infrastructure and research institutions in multiple regions is a stark reminder of the geopolitical motives behind these cyberattacks. UNC5174’s activities appear to be a direct extension of China’s geopolitical and espionage interests, with the threat actor focused on long-term intelligence gathering rather than immediate disruption.
The
The research published by Sysdig also offers insights into how defenders can improve detection and response. By focusing on indicators like YARA rules and leveraging platforms like Falco, defenders can enhance their ability to detect subtle, in-memory attacks. But the challenge remains: as threat actors like UNC5174 continue to refine their methods, security measures must adapt in real-time to stay ahead of these sophisticated campaigns.
Fact Checker Results
– Accuracy:
- Impact: The analysis accurately captures the growing complexity and stealthiness of UNC5174’s attacks, which reflect broader trends in state-sponsored cyber espionage.
- Scope: The research provides a clear understanding of the threat actor’s tactics, though further investigation into the specific victims and methods would strengthen the assessment.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
