After operating quietly for a year, a Chinese state-sponsored hacking group known as UNC5174 has launched a new cyber campaign, according to the Sysdig Threat Research Team (TRT).
Sysdig researchers uncovered the campaign in late January 2025 when they spotted a malicious bash script downloading several files to maintain access on targeted systems. One of these files was a variant of the group’s known malware, SNOWLIGHT, which has been previously used in attacks on F5 devices and was recently mentioned in France’s 2025 Cyber Threat Overview report.
In a new twist, UNC5174 is now using an open-source tool called VShell—a Remote Access Trojan (RAT) developed by a Chinese-speaking author. VShell is gaining popularity in underground forums, even being called “better” than the widely used Cobalt Strike hacking tool. By using open-source software like VShell, UNC5174 can blend in with less sophisticated hackers, making it harder for authorities to link attacks back to them.
According to Sysdig, the SNOWLIGHT malware acts as a dropper, deploying VShell as a fileless payload that lives only in a computer’s memory—making it much harder to detect.
UNC5174 is believed to customize most of its malicious tools, which tells us it has a high level of technical skill. The group’s goals include espionage and selling access to target entity once it has been successfully compromised.
Sysdig warns that both SNOWLIGHT and VShell pose serious risks to organizations because of their stealthy techniques, such as using WebSockets for command-and-control communications and relying on memory-only payloads.
Who Is UNC5174?
UNC5174 is thought to be a contractor working on behalf of the Chinese government. Past reports from HivePro and Mandiant reveal that the group targets countries like the U.S., Canada, and the U.K., mainly attacking research institutions, government agencies, think tanks, and tech companies. They have also gone after NGOs and critical infrastructure organizations in the Asia-Pacific region, particularly in energy, defense, and healthcare.
UNC5174 has a history of exploiting vulnerabilities and using phishing attacks to deliver their malware. For example, during the 2024 Summer Olympics, the group was linked to attacks on Ivanti’s Cloud Service Appliance (CSA) products. Their malware has even been seen targeting MacOS systems.
While it’s unclear how they are gaining initial access in this latest campaign, Sysdig notes that Linux systems are the primary target. Researchers also found that the group is using domain squatting—registering fake websites that mimic real companies—to trick victims. Recently impersonated companies include Cloudflare, Telegram, and Huione Pay.
Ongoing Campaign and Malicious Domains
Following initial access, the hackers deploy a malicious script that drops two tools:
dnsloger (related to SNOWLIGHT malware)
system_worker (linked to Sliver and Cobalt Strike tools)
Their goal is to maintain long-term access and allow for further exploitation of the systems.
Sysdig’s domain analysis found two new suspicious domains used for command-and-control operations:
gooogleasia[.]com (not affiliated with Google)
sex666vr[.]com
Some subdomains even mimic trusted services, such as login.microsoftonline.gooogleasia.com. These fake sites are believed to be used for phishing attacks.
The domain gooogleasia[.]com was created in September 2023 and has changed servers several times, with its latest activity seen in February 2025. Subdomains like evil.gooogleasia.com and account.gooogleasia.com have also been linked to Cobalt Strike activity.
Meanwhile, sex666vr[.]com was last active in October 2024 and appears to have been abandoned by UNC5174.
Sysdig researchers believe the campaign is still active as of late March 2025, with new malicious domains continuing to pop up.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.