A sophisticated Chinese state-sponsored hacking group, known as UNC5174, has launched a new campaign utilizing both custom and open-source tools to infiltrate Linux systems, according to cybersecurity researchers at Sysdig.
The group combines SNOWLIGHT, a specialized malware variant, with VShell, an open-source Remote Access Trojan (RAT) popular among Chinese cybercriminals. This hybrid approach allows the hackers to deploy fileless malware and maintain persistent access to compromised systems.
The attack sequence begins with a malicious bash script that installs two key components: "dnsloger" (associated with SNOWLIGHT) and "system_worker" (linked to the Sliver framework). These components establish persistence and create communication channels with command-and-control servers.
UNC5174's strategic shift toward using publicly available tools represents a calculated effort to blend in with ordinary cybercriminal activity, making attribution more challenging. The group employs WebSocket protocols for encrypted communications, effectively masking their malicious traffic.
While the initial access vector remains unknown, researchers discovered command-and-control domains suggesting the use of typosquatted websites and phishing tactics. The French Cybersecurity Agency ANSSI has also observed UNC5174 exploiting vulnerabilities in Ivanti's Cloud Service Appliance products.
The group's activities have impacted multiple sectors across nearly 20 countries, including Australia, France, Japan, the United Kingdom, and the United States. Their targets typically include Western governments, technology companies, research institutions, and think tanks.
This campaign highlights an emerging trend where state-sponsored actors increasingly adopt open-source tools instead of custom-built solutions, potentially indicating a shift in advanced persistent threat (APT) tactics.