China-backed Threat Actor “UNC5174” Using open source tools in stealthy attacks.
Sysdig researchers detailed an ongoing campaign from China-backed threat actor UNC5174, which is using open source hacking tools to stay under the radar.
A state-backed Chinese threat actor known as “UNC5174” is using stealthy techniques and open source software to attack its victims.
Cloud security vendor Sysdig published research today regarding UNC5174, which was observed using a new open source tool and command-and-control (C2) infrastructure in its most recent campaign in late January. Specifically, the Chinese state-sponsored threat actor deployed a variant of its “Snowlight” malware, as well as the open source tool “VShell,” which is similar to the widely used Cobalt Strike penetration testing framework.
In the new research, Alessandra Rizzo, threat detection engineer at Sysdig, emphasized the value of open source tools such as VShell to a threat actor like UNC5174.
“In the ‘2024 Global Threat Year-in-Review,’ we reported that threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult,” she wrote. “This seems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government.”
Read More Here.
