Chinese espionage group leans on open-source tools to mask intrusions

A Chinese state-sponsored hacking group has been observed using recently released open-source offensive security tools and other tactics in an effort to blend in with more common cybercriminal activity.

The group, UNC5174, is an espionage-minded hacking group that is believed to have ties to the Chinese government and targets Western governments, technology companies, research institutions and think tanks.

In a new campaign observed by researchers at Sysdig, the group was seen using VShell — an open-source Remote Access Trojan made by a Chinese developer and popular among Chinese cybercriminals — to carry out post-exploitation activity.

They were also spotted using WebSockets — a set of open-source communication protocols — to communicate with command-and-control infrastructure, masking much of its malicious traffic through encrypted transmissions.

This was apparently effective, as Sysdig threat research engineer Alessandra Rizzo noted that “our runtime capture confirms that, except for a few random words, we found nothing of note in the network traffic once the connection was upgraded to a WebSocket.”

The observed behavior aligns with a broader trend researchers are seeing, with more advanced and state-sponsored threat actors foregoing bespoke tooling in favor of open source or cheaper tools used by “script kiddies,” or lower technical cybercriminals.  

This approach “seems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government,” Rizzo wrote. It’s also notable because “nearly all” of UNC5174’s tooling observed until the past year had been custom-built and “not easily-copied.”

UNC5174 was seen using both Vshell and WebSockets as recently as January, even as the group continued to rely on custom malware for post-exploitation while targeting Linux-based systems.

Indeed, one of the calling cards of UNC5174 is the use of SNOWLIGHT, a malware family first identified by researchers at Mandiant that acts in tandem with VShell to deploy fileless malware on victim systems.

In this latest campaign, the actors use a payload called “dnsloger” that is part of the SNOWLIGHT family. They took actions that reflected in-depth knowledge of Linux-based operating systems, including methods for maintaining persistence, defensive evasion, and injection techniques.

It’s not clear how UNC5174 is obtaining initial access to victim systems, but included among the artifacts discovered by Sysdig researchers are a number of command-and-control domains that suggest that typosquatted website domains and phishing tactics were used.

The findings align with other recently reported activity around UNC5174.

In 2024, the French Cybersecurity Agency ANSSI observed an attacker using the same tactics, techniques and procedures as UNC5174’s exploitation of vulnerabilities in Ivanti’s Cloud Service Appliance product, giving them remote code execution privileges on infected machines. That attack included the use of a zero-day flaw (CVE2024-8190) days before Ivanti published a security advisory.

But further investigation of infected victims by the agency found that the group had used “common intrusion set” to gain initial access, and suggested that UNC5174 may have been selling its access to the highest bidder.

“Moderately sophisticated and discreet, this intrusion set is characterised by the use of intrusion tools largely available as open source and by the — already publicly reported — use of a rootkit10 code,” the agency wrote. “Post-exploitation activities do nevertheless differ from one incident to the next, which supports the hypothesis of an intrusion set being used as a means to secure initial access points, to then be sold off or entrusted to other operators.”

Rizzo wrote that UNC5174’s use of open-source tools like VShell and WebSockets has likely helped the group mask its presence in other, yet-to-be discovered campaigns.

“The lack of public documentation on VShell being employed by this threat actor is telling, as the evidence we have gathered shows that this campaign has been active since at least November 2024,” Rizzo noted.