Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool

The Hacker News by The Hacker News
April 15, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Apr 15, 2025Ravie LakshmananLinux / Malware

The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems.

“Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult,” Sysdig researcher Alessandra Rizzo said in a report shared with The Hacker News.

“This seems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government.”

UNC5174, also referred to as Uteus (or Uetus), was previously documented by Google-owned Mandiant as exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver a C-based ELF downloader named SNOWLIGHT, which is designed to fetch a Golang tunneler dubbed GOHEAVY from infrastructure tied to a publicly available command-and-control (C2) framework known as SUPERSHELL.

Cybersecurity

Also deployed in the attacks was GOREVERSE, a publicly available reverse shell backdoor written in Golang that operates over Secure Shell (SSH).

The French National Agency for the Security of Information Systems (ANSSI), in its Cyber Threat Overview report for 2024 published last month, said it observed an attacker employing similar tradecraft as that of UNC5174 to weaponize security flaws in Ivanti Cloud Service Appliance (CSA) such as CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 to gain control and execute arbitrary code.

“Moderately sophisticated and discreet, this intrusion set is characterized by the use of intrusion tools largely available as open source and by the – already publicly reported – use of a rootkit code,” the ANSSI said.

It’s worth noting that both SNOWLIGHT and VShell are capable of targeting Apple macOS systems, with the latter distributed as a fake Cloudflare authenticator application as part of an as-yet-undetermined attack chain, according to an analysis of artifacts uploaded to VirusTotal from China in October 2024.

In the attack chain observed by Sysdig in late January 2025, the SNOWLIGHT malware acts as a dropper for a fileless, in-memory payload called VShell, a remote access trojan (RAT) widely used by Chinese-speaking cybercriminals. The initial access vector used for the attack is presently unknown.

Specifically, the initial access is used to execute a malicious bash script (“download_backd.sh”) that deploys two binaries associated with SNOWLIGHT (dnsloger) and Sliver (system_worker), both of which are used to set up persistence and establish communications with a C2 server.

The final stage of the attack delivers VShell via SNOWLIGHT by means of a specially crafted request to the C2 server, thereby enabling remote control and further post-compromise exploitation.

“[VShell] acts as a RAT (Remote Access Trojan), allowing its abusers to execute arbitrary commands and download or upload files,” Rizzo said. “SNOWLIGHT and VShell pose a significant risk to organizations due to their stealthy and sophisticated techniques,” Sysdig said. “This is evidenced by the employment of WebSockets for command-and-control, as well as the fileless VShell payload.”

Cybersecurity

The disclosure comes as TeamT5 revealed that a China-nexus hacking group likely exploited security flaws in Ivanti appliances (CVE-2025-0282 and CVE-2025-22457) to gain initial access and deploy the SPAWNCHIMERA malware.

The attacks, the Taiwanese cybersecurity company said, targeted a multitude of sectors spanning nearly 20 different countries such as Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States.

The findings also dovetail with accusations from China that the U.S. National Security Agency (NSA) launched “advanced” cyber attacks during the Asian Winter Games in February, pointing fingers at three NSA agents for repeated attacks on China’s critical information infrastructure as well as against Huawei.

“At the ninth Asian Winter Games, the U.S. government conducted cyberattacks on the information systems of the Games and the critical information infrastructure in Heilongjiang,” Foreign Ministry Spokesperson Lin Jian said. “This move is egregious for it severely endangers the security of China’s critical information infrastructure, national defense, finance, society, and production as well as its citizens’ personal information.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Mesh Systems Appoints Andrew Cohoat as President and CEO as Company Celebrates 20th Anniversary

Mesh Systems Appoints Andrew Cohoat as President and CEO as Company Celebrates 20th Anniversary

Recommended.

Stocks making the biggest moves premarket: CVS, Super Micro Computer, Meta Platforms and more

Stocks making the biggest moves premarket: CVS, Super Micro Computer, Meta Platforms and more

February 12, 2025
Top AWS And Google Partner DoiT Buys Software Startup LiveDiagrams To Boost FinOps, Cloud Optimization

Top AWS And Google Partner DoiT Buys Software Startup LiveDiagrams To Boost FinOps, Cloud Optimization

January 15, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio