A threat group believed to have ties with China’s state-sponsored cyber operations, identified as UNC5174, has launched a stealthy and technically advanced cyber campaign aimed at Linux and macOS environments.
According to new research published by Sysdig, the group is utilizing a revised form of the SNOWLIGHT malware in combination with an open-source remote access tool named VShell.
Open Source Weapons in Modern Espionage
Security analysts at Sysdig noted that UNC5174 is strategically deploying open-source utilities to conceal its operations and reduce operational overhead. By mimicking the behavior of independent hackers or lower-tier cybercriminals, the group increases the difficulty of assigning direct attribution.
This approach allows them to operate within a broader, noisier ecosystem, making them harder to identify and track. The report also points out that UNC5174 had not been active publicly for over a year before this campaign resurfaced.
Attack Flow and Malware Deployment
The campaign begins with the execution of a script referred to as download_backd.sh. This script installs two key components: one is associated with a modified SNOWLIGHT variant (dnsloger), and the other is related to the Sliver post-exploitation toolkit (system_worker). These elements set the groundwork for persistent access and communication with a remote control server.
SNOWLIGHT then initiates the delivery of VShell, a memory-resident trojan, by requesting it from the attacker’s infrastructure. The payload is never written to disk, allowing it to bypass many traditional detection mechanisms. Once active, VShell gives attackers the ability to run system commands, transfer files, and maintain long-term access through covert communication channels such as WebSockets.
Cross-Platform Threat: macOS Also Targeted
Although the operation primarily targets Linux environments, evidence suggests the malware suite is also capable of compromising macOS systems. In other words, this appears to be a cross-platform malware operation.
One example includes a version of VShell that was disguised as a Cloudflare-branded authentication application. This malicious build was uploaded to VirusTotal from China in late 2024, indicating the campaign’s broader targeting strategy and social engineering components.
UNC5174, also referred to in some reports as Uteus or Uetus, has a history of exploiting widely used software vulnerabilities. Past campaigns documented by Mandiant, a Google-owned cybersecurity firm, involved targeting flaws in Connectwise ScreenConnect and F5 BIG-IP. These operations also utilized SNOWLIGHT to retrieve additional malware such as GOHEAVY, a Golang-based tunneling tool, and GOREVERSE, an SSH-based reverse shell utility.
France’s national cybersecurity agency ANSSI has highlighted a similar pattern in unrelated attacks exploiting vulnerabilities in Ivanti’s Cloud Service Appliance. Vulnerabilities such as CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 were reportedly used in conjunction with intrusion tactics comparable to those seen in UNC5174 operations. ANSSI also noted the frequent use of publicly available hacking tools, including rootkits, as a key trait of these campaigns.
More Activities of Chinese Hackers Detected in the Wild
TeamT5, a Taiwan-based cybersecurity research company, independently disclosed activity resembling UNC5174’s methods. According to their findings, attackers exploited Ivanti vulnerabilities to distribute a new strain of malware called SPAWNCHIMERA. These incidents affected targets across nearly 20 countries, including the U.S., U.K., Japan, Singapore, and the Netherlands, highlighting the broad international footprint of these cyber operations.
This campaign takes place while tension between China and the United States continues to unfold. In February 2025, Chinese authorities accused the U.S. National Security Agency (NSA) of conducting mass cyber intrusions during the Asian Winter Games. According to China’s National Computer Virus Emergency Response Center (CVERC), over 170,000 attacks were attributed to the U.S. during a 20-day window, with additional incursions traced to other nations including Germany, South Korea, and Singapore.
Chinese officials expressed strong condemnation, claiming the attacks endangered key infrastructure sectors such as finance, defense, and public communications. The Foreign Ministry warned that the intrusions also risked compromising the personal data of Chinese citizens and the integrity of national systems.
Conclusive Thoughts
Sysdig’s researchers stress that this case underscores how advanced threat actors are increasingly exploiting open-source tools to mask their affiliations. Tools like VShell and SNOWLIGHT are freely available and widely used, enabling attackers to execute sophisticated campaigns under the guise of ordinary cybercriminal activity. The result is a highly evasive threat that blends stealth, flexibility, and plausible deniability.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: