Sunday, May 25, 2025
Homecyber securityChinese UNC5174 Group Expands Arsenal with New Open Source Tool and C2...

Chinese UNC5174 Group Expands Arsenal with New Open Source Tool and C2 Infrastructure

Published on

SIEM as a Service

Follow Us on Google News

The Sysdig Threat Research Team (TRT) has revealed a significant evolution in the offensive capabilities of the Chinese state-sponsored threat actor, UNC5174.

In late January 2025, after a year of diminished activity, the group launched a new campaign that introduced an open-source tool called VShell, alongside a new command and control (C2) infrastructure.

This shift in strategy was first observed when a malicious bash script, which is capable of downloading multiple executable files for persistence, was identified.

- Advertisement - Google News
Open Source Tool
Flow of the working

New Arsenal and Stealth Techniques

UNC5174 previously relied on tools like SUPERSHELL for their operations but now incorporates VShell, a remote access trojan (RAT) that operates exclusively in memory, making it a fileless malware.

This characteristic complicates traditional detection methods due to its lack of a persistent file on disk.

The deployment of VShell by UNC5174 involves SNOWLIGHT, a known dropper for the group, which disguises VShell as a legitimate system process named [kworker/0:2].

This method of execution through system calls like memfd_create and fexecve, combined with an HTTP GET request to retrieve VShell over WebSockets, underscores UNC5174’s focus on evasion and maintaining low detection rates.

Sophisticated Infrastructure

The C2 infrastructure utilized by UNC5174 in this campaign includes domains like gooogleasia[.]com and sex666vr[.]com, which employs techniques such as domain squatting to impersonate reputable companies.

These domains support multiple subdomains, enhancing their capabilities for phishing or C2 operations.

Here, the C2 traffic leverages encrypted channels through mTLS, WireGuard, and HTTPS, often running on port 8443 to blend with legitimate HTTPS traffic.

This development is a clear indication of UNC5174’s strategic enhancement, focusing on stealth, technical sophistication, and resilience against detection.

Their motivations appear to blend cyber espionage with the potential of brokering access to compromised environments.

Open Source Tool
Sliver functions

VShell’s fileless nature, combined with its real-time communication capabilities over secure WebSockets, suggests a move towards operations that are harder to detect and disrupt, thereby increasing the risk to affected organizations.

The integration of VShell into UNC5174’s operations marks an escalation in the group’s capabilities, showcasing an intent to remain under the radar while potentially supporting espionage efforts or providing access for sale.

Sysdig’s analysis provides a technical deep dive into these new tactics, urging organizations, particularly those in sectors critical to Chinese interests, to adapt their security measures.

Monitoring for fileless attacks, understanding the nuanced C2 communications, and preparing for evolving techniques are crucial steps in defense against this formidable threat actor.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...