Chinese hackers use the VShell tool and the SNOWLIGHT malware to target Linux systems.

A group associated with China, known as UNC5174, has launched a new cyber attack campaign. They’re using a modified version of malware named SNOWLIGHT and a tool called VShell to target Linux systems.

These hackers utilize open-source tools to save costs and hide their identity, making it harder for experts to identify them. Such tools are commonly available and not exclusive to professional hackers, which adds complexity to tracing the attackers. This information was shared by Alessandra Rizzo, a researcher from Sysdig.

UNC5174 has been quiet for the past year but is believed to be linked to the Chinese government. Previously, they exploited security flaws in software like ConnectWise ScreenConnect and F5 BIG-IP, using a downloader called SNOWLIGHT to install another program, GOHEAVY, for secret communication channels.

They also used GOREVERSE, a reverse shell backdoor, created with Golang technology and utilizing Secure Shell (SSH) for operation.

The French National Agency for the Security of Information Systems (ANSSI) reported seeing similar tactics used to exploit security vulnerabilities in Ivanti Cloud Service Appliance (CSA), including CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190, allowing attackers to control systems and execute harmful code.

ANSSI characterized these attacks as clever and quiet, using widely available tools and known rootkit code. Both SNOWLIGHT and VShell can attack Apple macOS systems. VShell is distributed through a fake Cloudflare app, as revealed by a study of files sent to VirusTotal from China in October 2024.

In January 2025, Sysdig observed an attack where SNOWLIGHT was used to introduce VShell, a common remote access trojan (RAT) among Chinese-speaking hackers. The entry method used for these attacks remains unknown.

The attack execution starts with a bash script named "download_backd.sh," which installs two binaries, SNOWLIGHT and Sliver, to maintain system control and communicate with a command-and-control (C2) server. The final step involves using SNOWLIGHT to deliver VShell, allowing remote control and further attack progress.

VShell operates as a Remote Access Trojan, enabling attackers to execute commands and move files, as Rizzo explained. SNOWLIGHT and VShell present serious threats due to their stealthy and advanced techniques, noted Sysdig. They employ WebSockets for command-and-control, and VShell works without leaving traces on the system's disk.

Recently, TeamT5 revealed that a China-linked hacking group likely exploited vulnerabilities in Ivanti appliances to initiate attacks and deploy malware known as SPAWNCHIMERA.

These attacks affected many sectors in approximately 20 countries, including Austria, Australia, France, Spain, Japan, South Korea, and others. China has accused the U.S. National Security Agency (NSA) of advanced cyberattacks during the Asian Winter Games in February, blaming three NSA agents for repeatedly attacking China's critical information infrastructure and targeting Huawei.

The National Computer Virus Emergency Response Center (CVERC) reported that the U.S. conducted over 170,000 cyberattacks between January 26 and February 14, 2025. After the U.S., Singapore, the Netherlands, Germany, and South Korea faced many attacks. Overall, the Games' systems experienced 270,167 attacks from foreign sources.

During the ninth Asian Winter Games, China's Foreign Ministry Spokesperson Lin Jian stated that the U.S. government was responsible for cyberattacks on the Games' information systems and critical infrastructure in Heilongjiang, severely threatening the security of China's major information infrastructure, defense, finance, society, production, and the privacy of its citizens.