DeeperML - #apt

A Chinese state-sponsored hacking group, identified as UNC5174, is actively targeting Linux and macOS systems using a combination of custom malware and open-source tools. This espionage-minded group, believed to have ties to the Chinese government, is known to target Western governments, technology companies, research institutions, and think tanks. Security researchers at Sysdig have recently observed a new campaign where UNC5174 leverages tools like VShell, a publicly available Remote Access Trojan (RAT), and SNOWLIGHT malware to compromise systems and mask their malicious activities. The group's activities, which include targeting over 20 nations in government, finance, and defense sectors, highlights the increasing trend of APT groups adopting open-source tools to enhance their operational security and evade detection.

UNC5174 is utilizing VShell, an open-source RAT popular among Chinese cybercriminals, for post-exploitation activities. VShell, distributed as a fake Cloudflare authenticator application in some instances, and the SNOWLIGHT malware are used to deploy fileless malware on victim systems. The group also employs WebSockets, a set of open-source communication protocols, to encrypt and conceal their command-and-control communications. The use of these readily available tools allows UNC5174 to blend in with more common cybercriminal activity, making attribution significantly more challenging. According to Sysdig, their runtime capture found very little of note in the network traffic once the connection was upgraded to a WebSocket.

The adoption of open-source tools represents a shift for UNC5174, as nearly all of its previously observed tooling was custom-built and difficult to copy. The group's new campaign, observed as recently as January 2025, sees them using a payload called "dnsloger," part of the SNOWLIGHT family, alongside VShell. UNC5174 is also leveraging in-depth knowledge of Linux-based operating systems, implementing methods for persistence, defensive evasion, and injection techniques, with motives likely revolving around espionage and selling access to compromised environments. The initial access vector remains unknown, but the group has been spotted targeting Linux systems, posing a significant risk to organizations due to their stealthy and sophisticated techniques.


References :

• cyberscoop.com: Sysdig researchers detailed an ongoing campaign from China-backed threat actor UNC5174, which is using open source hacking tools to stay under the radar.
• The Hacker News: The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems.
• cyberscoop.com: Chinese espionage group leans on open-source tools to mask intrusions
• Anonymous ???????? :af:: UNC5174 (aka Uteus), tied to China, is quietly breaching Linux & macOS systems using SNOWLIGHT malware + a fake Cloudflare app (VShell).
• Sysdig: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
• The Register - Security: Chinese snoops use stealth RAT to backdoor US orgs – still active last week
• securityonline.info: UNC5174: Chinese Threat Actor Deploys New VShell RAT in Campaign
• sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell

Classification:

• HashTags: #UNC5174 #APT #CyberEspionage
• Target: various organizations, multiple countries
• Attacker: UNC5174
• Malware: SNOWLIGHT, VShell
• Type: Espionage
• Severity: Medium

Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.

The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.

Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.


References :

• Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
• www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
• www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
• cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
• gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
• Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
• gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
• beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.

Classification:

• HashTags: #APT #SideCopy #Cybersecurity
• Company: Seqrite
• Target: Indian government, defense, maritime sectors, oil, gas
• Attacker: SideCopy
• Feature: TTPs
• Type: APT
• Severity: Medium

The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.


References :

• cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
• The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
• Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
• techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
• www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
• Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
• cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
• securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
• CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
• Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
• Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
• Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
• Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
• PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
• ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
• ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
• securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
• securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
• BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
• industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
• securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
• Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
• SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
• Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
• cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
• cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
• securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers

Classification:

• HashTags: #SaltTyhoon #CybersecurityThreats #TelecomAttacks
• Company: Cisco
• Target: Telecommunication Providers
• Attacker: Salt Typhoon
• Product: Cisco Routers
• Feature: Vulnerabilities in Cisco devic
• Type: Hack
• Severity: Major