UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell

UNC5174, a Chinese state-sponsored threat actor, has been identified by the Sysdig Threat Research Team as using a new open-source tool called VShell in its cyber campaigns, which involve sophisticated techniques like fileless malware and the use of WebSockets for command and control. Previously known for deploying the open-source reverse shell tool SUPERSHELL, UNC5174 now employs VShell, considered superior to the Cobalt Strike framework, to conduct espionage and broker access to compromised environments. The campaign involves using SNOWLIGHT malware to drop a fileless VShell payload, which operates entirely in memory, making it difficult to detect. UNC5174 targets entities in Western countries, including research institutions, government organizations, and critical infrastructure sectors, with their operations blending with non-state-sponsored hackers to complicate attribution. The threat actor's techniques, including phishing, social engineering, and domain squatting, demonstrate advanced capabilities and a focus on remaining under the radar while continuing to support Chinese government objectives.