A new cyber campaign attributed to the China-linked threat actor UNC5174 (also known as Uteus or Uetus) has been uncovered, targeting Linux and macOS systems using a modified version of the SNOWLIGHT malware and a newly observed remote access trojan (RAT) called VShell. The campaign highlights a growing trend among threat actors to adopt open-source tools to lower operational costs and complicate attribution, allowing them to blend in with less sophisticated adversaries. The attackers exploit known vulnerabilities in software like ConnectWise ScreenConnect, F5 BIG-IP, and Ivanti CSA to gain initial access, although the exact entry point in this campaign remains unidentified. Once access is obtained, a malicious bash script is executed to deploy SNOWLIGHT and the Sliver C2 framework. SNOWLIGHT acts as a dropper, delivering the fileless, in-memory VShell, which uses WebSockets for stealthy command-and-control. VShell enables remote control, arbitrary command execution, and file transfers. Additional tools like GOHEAVY and GOREVERSE were also used in the attack chain. Reports indicate that this actor has remained under the radar for over a year and operates with moderate sophistication. The campaign aligns with broader geopolitical tensions, including China's accusations against the U.S. National Security Agency (NSA) for conducting cyberattacks on critical Chinese infrastructure during the 2025 Asian Winter Games, underscoring the escalating cyber conflict between major global powers.

‍