Full Report
UNC5174, a suspected Chinese state-sponsored threat actor, has resurfaced in a stealthy espionage campaign targeting Linux systems across research institutions, government agencies, NGOs, and critical infrastructure sectors in Western and APAC countries. The campaign, active s...
Analysis Summary
# Threat Actor: UNC5174
## Attribution & Identity
* **Attribution:** Suspected Chinese state-sponsored threat actor.
* **Aliases & Groups:** UNC5174.
## Activity Summary
* **Recent Campaign:** Resurfaced in a stealthy espionage campaign active since at least November 2024.
* **Objective:** Espionage or access brokerage.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing and domain impersonation (spoofed Cloudflare and Telegram domains).
* **Execution:** Malicious bash script used to download initial payloads.
* **Persistence:** Cron job persistence observed.
* **Defense Evasion/Execution:**
* Use of a custom dropper named **SNOWLIGHT**.
* **VShell** (a fileless RAT) is loaded entirely into memory using `memfd_create` and executed via `fexecve`, masquerading as a kernel process.
* **Command and Control (C2):**
* VShell communicates via WebSocket over HTTPS for real-time, encrypted remote access.
* Sliver implants provide fallback persistence/C2 using mTLS and WireGuard.
## Targeting
* **Sectors:** Research institutions, government agencies, NGOs, and critical infrastructure sectors.
* **Geography:** Western and APAC countries.
* **Victims:** Not specifically named, but broad organizational scope.
## Tools & Infrastructure
* **Malware Families Used:**
* **SNOWLIGHT** (Custom dropper)
* **VShell** (Fileless Remote Access Trojan/RAT)
* **Sliver** (Implant for fallback persistence)
* **Infrastructure:** New C2 infrastructure utilizing protocols like WebSocket over HTTPS, mTLS, and WireGuard.
## Implications
UNC5174 demonstrates a high level of operational security by deploying fileless, in-memory RATs (VShell) on Linux platforms and using legitimate-looking protocols (WebSockets over HTTPS) for C2 communication, making traditional endpoint detection challenging. The focus on critical infrastructure suggests high-value espionage objectives.
## Mitigations
Defense should focus on monitoring for unusual script execution, memory manipulation techniques like `memfd_create` and `fexecve` being used by non-standard processes, monitoring for C2 patterns that mimic legitimate WebSocket traffic, and scrutinizing cron jobs for suspicious entries.