A China-linked cyber espionage group, UNC5174 (aka Uteus or Uetus) been liked to a new malware campaign targeting Linux systems using a modified variant of the known SNOWLIGHT malware and a new, open-source remote access tool dubbed VShell.
Cybersecurity firm Sysdig, which uncovered the campaign, noted that the attackers leveraged open-source tools to enhance stealth and reduce operational costs, a tactic increasingly seen among both state-sponsored and low-skill threat actors.
First spotted by Google-owned cybersecurity firm Mandiant, UNC5174 is known for exploiting vulnerabilities in Connectwise ScreenConnect and F5 BIG-IP to deploy SNOWLIGHT, an ELF-based downloader written in C, used to fetch additional payloads like GOHEAVY and GOREVERSE, both built using Golang and tied to the SUPERSHELL command-and-control framework.
The latest campaign, first observed in January 2025, involves the execution of a malicious script (download_backd.sh) that installs SNOWLIGHT binaries and a Sliver implant for persistence and C2 communication. The malware then deploys a fileless in-memory payload: VShell, a RAT capable of executing arbitrary commands and facilitating data exfiltration.
France's National Cybersecurity Agency (ANSSI) recently reported similar tactics in its 2024 threat overview, linking the use of rootkits and open-source intrusion tools to attacks exploiting Ivanti CSA vulnerabilities (CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190).
