Wednesday, May 7, 2025
Homecyber securityChinese UNC5174 Group Expands Arsenal with New Open Source Tool and C2...

Chinese UNC5174 Group Expands Arsenal with New Open Source Tool and C2 Infrastructure

Published on

SIEM as a Service

Follow Us on Google News

The Sysdig Threat Research Team (TRT) has revealed a significant evolution in the offensive capabilities of the Chinese state-sponsored threat actor, UNC5174.

In late January 2025, after a year of diminished activity, the group launched a new campaign that introduced an open-source tool called VShell, alongside a new command and control (C2) infrastructure.

This shift in strategy was first observed when a malicious bash script, which is capable of downloading multiple executable files for persistence, was identified.

- Advertisement - Google News
Open Source Tool
Flow of the working

New Arsenal and Stealth Techniques

UNC5174 previously relied on tools like SUPERSHELL for their operations but now incorporates VShell, a remote access trojan (RAT) that operates exclusively in memory, making it a fileless malware.

This characteristic complicates traditional detection methods due to its lack of a persistent file on disk.

The deployment of VShell by UNC5174 involves SNOWLIGHT, a known dropper for the group, which disguises VShell as a legitimate system process named [kworker/0:2].

This method of execution through system calls like memfd_create and fexecve, combined with an HTTP GET request to retrieve VShell over WebSockets, underscores UNC5174’s focus on evasion and maintaining low detection rates.

Sophisticated Infrastructure

The C2 infrastructure utilized by UNC5174 in this campaign includes domains like gooogleasia[.]com and sex666vr[.]com, which employs techniques such as domain squatting to impersonate reputable companies.

These domains support multiple subdomains, enhancing their capabilities for phishing or C2 operations.

Here, the C2 traffic leverages encrypted channels through mTLS, WireGuard, and HTTPS, often running on port 8443 to blend with legitimate HTTPS traffic.

This development is a clear indication of UNC5174’s strategic enhancement, focusing on stealth, technical sophistication, and resilience against detection.

Their motivations appear to blend cyber espionage with the potential of brokering access to compromised environments.

Open Source Tool
Sliver functions

VShell’s fileless nature, combined with its real-time communication capabilities over secure WebSockets, suggests a move towards operations that are harder to detect and disrupt, thereby increasing the risk to affected organizations.

The integration of VShell into UNC5174’s operations marks an escalation in the group’s capabilities, showcasing an intent to remain under the radar while potentially supporting espionage efforts or providing access for sale.

Sysdig’s analysis provides a technical deep dive into these new tactics, urging organizations, particularly those in sectors critical to Chinese interests, to adapt their security measures.

Monitoring for fileless attacks, understanding the nuanced C2 communications, and preparing for evolving techniques are crucial steps in defense against this formidable threat actor.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...