Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool
Summary:
A China-linked threat actor, UNC5174 (also known as Uteus), has been tied to a new campaign targeting Linux systems. This campaign leverages a variant of the well-known SNOWLIGHT malware and a new open-source tool called VShell. Open-source tools like these are increasingly being used by threat actors for cost-effectiveness, obfuscation, and to blend in with less technical adversaries, making attribution harder, according to Sysdig researcher Alessandra Rizzo. UNC5174, which has been under the radar for the past year, previously exploited security vulnerabilities in Connectwise ScreenConnect and F5 BIG-IP software to deliver SNOWLIGHT, a C-based ELF downloader. This malware fetches a Golang tunneler, GOHEAVY, from publicly available command-and-control frameworks like SUPERSHELL.
In this attack chain, SNOWLIGHT serves as a dropper for VShell, a remote access trojan (RAT) commonly used by Chinese-speaking cybercriminals. The attack begins with an unknown initial access vector that executes a malicious bash script, deploying SNOWLIGHT and Sliver binaries. These are used to establish persistence and communication with the C2 server. VShell, a fileless RAT, is then delivered through SNOWLIGHT, enabling remote control and further post-compromise exploitation. Both SNOWLIGHT and VShell can target macOS systems, with VShell distributed as a fake Cloudflare authenticator application, observed in artifacts uploaded to VirusTotal in October 2024. The use of WebSockets for C2 and fileless payloads makes these tools particularly stealthy and dangerous.
Security Officer Comments:
The attack, which has been linked to other campaigns exploiting vulnerabilities in Ivanti Cloud Service Appliance, also mirrors tactics seen in attacks targeting multiple sectors globally, with countries like the U.S., U.K., South Korea, and Japan being affected. Additionally, these findings align with ongoing tensions, including accusations from China against the U.S. for cyberattacks during the Asian Winter Games, underscoring the geopolitical backdrop of the threat landscape.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
Source
https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html
A China-linked threat actor, UNC5174 (also known as Uteus), has been tied to a new campaign targeting Linux systems. This campaign leverages a variant of the well-known SNOWLIGHT malware and a new open-source tool called VShell. Open-source tools like these are increasingly being used by threat actors for cost-effectiveness, obfuscation, and to blend in with less technical adversaries, making attribution harder, according to Sysdig researcher Alessandra Rizzo. UNC5174, which has been under the radar for the past year, previously exploited security vulnerabilities in Connectwise ScreenConnect and F5 BIG-IP software to deliver SNOWLIGHT, a C-based ELF downloader. This malware fetches a Golang tunneler, GOHEAVY, from publicly available command-and-control frameworks like SUPERSHELL.
In this attack chain, SNOWLIGHT serves as a dropper for VShell, a remote access trojan (RAT) commonly used by Chinese-speaking cybercriminals. The attack begins with an unknown initial access vector that executes a malicious bash script, deploying SNOWLIGHT and Sliver binaries. These are used to establish persistence and communication with the C2 server. VShell, a fileless RAT, is then delivered through SNOWLIGHT, enabling remote control and further post-compromise exploitation. Both SNOWLIGHT and VShell can target macOS systems, with VShell distributed as a fake Cloudflare authenticator application, observed in artifacts uploaded to VirusTotal in October 2024. The use of WebSockets for C2 and fileless payloads makes these tools particularly stealthy and dangerous.
Security Officer Comments:
The attack, which has been linked to other campaigns exploiting vulnerabilities in Ivanti Cloud Service Appliance, also mirrors tactics seen in attacks targeting multiple sectors globally, with countries like the U.S., U.K., South Korea, and Japan being affected. Additionally, these findings align with ongoing tensions, including accusations from China against the U.S. for cyberattacks during the Asian Winter Games, underscoring the geopolitical backdrop of the threat landscape.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Source
https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html