The Sysdig Threat Research Team (TRT) has revealed a significant evolution in the offensive capabilities of the Chinese state-sponsored threat actor, UNC5174.
In late January 2025, after a year of diminished activity, the group launched a new campaign that introduced an open-source tool called VShell, alongside a new command and control (C2) infrastructure.
This shift in strategy was first observed when a malicious bash script, which is capable of downloading multiple executable files for persistence, was identified.
.png
)
New Arsenal and Stealth Techniques
UNC5174 previously relied on tools like SUPERSHELL for their operations but now incorporates VShell, a remote access trojan (RAT) that operates exclusively in memory, making it a fileless malware.
This characteristic complicates traditional detection methods due to its lack of a persistent file on disk.
The deployment of VShell by UNC5174 involves SNOWLIGHT, a known dropper for the group, which disguises VShell as a legitimate system process named [kworker/0:2].
This method of execution through system calls like memfd_create and fexecve, combined with an HTTP GET request to retrieve VShell over WebSockets, underscores UNC5174’s focus on evasion and maintaining low detection rates.
Sophisticated Infrastructure
The C2 infrastructure utilized by UNC5174 in this campaign includes domains like gooogleasia[.]com and sex666vr[.]com, which employs techniques such as domain squatting to impersonate reputable companies.
These domains support multiple subdomains, enhancing their capabilities for phishing or C2 operations.
Here, the C2 traffic leverages encrypted channels through mTLS, WireGuard, and HTTPS, often running on port 8443 to blend with legitimate HTTPS traffic.
This development is a clear indication of UNC5174’s strategic enhancement, focusing on stealth, technical sophistication, and resilience against detection.
Their motivations appear to blend cyber espionage with the potential of brokering access to compromised environments.
VShell’s fileless nature, combined with its real-time communication capabilities over secure WebSockets, suggests a move towards operations that are harder to detect and disrupt, thereby increasing the risk to affected organizations.
The integration of VShell into UNC5174’s operations marks an escalation in the group’s capabilities, showcasing an intent to remain under the radar while potentially supporting espionage efforts or providing access for sale.
Sysdig’s analysis provides a technical deep dive into these new tactics, urging organizations, particularly those in sectors critical to Chinese interests, to adapt their security measures.
Monitoring for fileless attacks, understanding the nuanced C2 communications, and preparing for evolving techniques are crucial steps in defense against this formidable threat actor.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 has revealed a significant evolution in the offensive capabilities of the Chinese state-sponsored.){kind=link}