A Chinese state-linked threat actor, UNC5174, also tracked as Uteus or Uetus, has resurfaced with a new Linux-focused cyber attack campaign. This latest operation utilizes an updated version of the known SNOWLIGHT malware and an open-source Remote Access Trojan (RAT) named VShell to compromise Linux systems with stealth and precision.
Open-Source Tools as a Double-Edged Sword
According to Sysdig security researcher Alessandra Rizzo, the campaign leverages open-source tools not only for cost efficiency but also as a means to blend in with common cybercriminals, obscuring attribution efforts:
This aligns with previous profiles of UNC5174, who has been connected to Chinese government cyber operations. The group remained dormant over the past year until their reappearance in 2025.
Attack Chain: SNOWLIGHT, GOHEAVY, and VShell
UNC5174's toolset is evolving. Previously, the group exploited vulnerabilities in Connectwise ScreenConnect and F5 BIG-IP devices to deploy SNOWLIGHT, a C-based ELF downloader. SNOWLIGHT acts as a dropper to fetch the GOHEAVY tunneler, a tool built in Golang, from C2 infrastructure tied to the SUPERSHELL framework.
Additionally, the attackers utilize GOREVERSE, a public reverse shell written in Go, which operates over SSH for stealthy backdoor access.
In January 2025, Sysdig researchers observed a new attack sequence where SNOWLIGHT delivers a fileless, in-memory VShell payload, deployed through a malicious bash script (download_backd.sh). This script installs two binaries:
dnsloger– linked to SNOWLIGHTsystem_worker– associated with Sliver, another offensive security tool
These binaries ensure persistence and establish command-and-control (C2) communications.
The final payload, VShell, is a fully functional RAT, enabling remote command execution, file upload/download, and stealth control over the infected system. Sysdig emphasized:
macOS Also in the Crosshairs
Interestingly, both SNOWLIGHT and VShell have macOS-compatible variants. In October 2024, VShell was disguised as a fake Cloudflare authenticator app, indicating a broader cross-platform threat strategy.
Exploiting Ivanti Vulnerabilities
The French cybersecurity agency ANSSI reported that UNC5174 may have also weaponized flaws in Ivanti Cloud Service Appliance (CSA), including CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190. These attacks were marked by moderate sophistication and the use of public rootkit code, further highlighting the actor’s adaptability.
Meanwhile, researchers at TeamT5 exposed another Chinese-nexus group exploiting newer Ivanti vulnerabilities—CVE-2025-0282 and CVE-2025-22457—to deploy SPAWNCHIMERA, a novel malware strain. Their attacks spanned nearly 20 countries, affecting sectors in Austria, France, the UK, the U.S., Japan, South Korea, and more.
Global Cyber Tensions Escalate
The cyber offensive coincides with escalating tensions between China and the U.S., especially after China accused the NSA of launching cyberattacks on critical infrastructure during the 2025 Asian Winter Games.
The National Computer Virus Emergency Response Center (CVERC) claimed the U.S. initiated over 170,000 cyberattacks during the event, with Singapore, Germany, the Netherlands, and South Korea trailing as top sources of intrusion attempts.
Key Takeaways:
UNC5174 is using SNOWLIGHT and VShell to breach Linux systems.
The group adopts open-source and cross-platform tools for stealth and cost-efficiency.
Vulnerabilities in Ivanti CSA and other infrastructure are being actively exploited.
These attacks form part of a larger pattern of state-sponsored cyber espionage.