CyberWire Daily – Detailed Summary of "China’s New Cyber Arsenal Revealed" [Research Saturday]

Release Date: April 26, 2025
Host: Dave Bittner
Guest: Crystal Morin, CyberSecurity Strategist from Sysdig
Research Focus: UNC5174's Evolution in China's Ongoing Cyber Warfare from Snowlight to V Shell

Introduction

In the April 26, 2025 episode of CyberWire Daily, hosted by Dave Bittner from N2K Networks, the focus is on unveiling China’s evolving cyber capabilities. Titled "China’s New Cyber Arsenal Revealed", this episode delves deep into the research conducted by Crystal Morin from Sysdig, spotlighting the threat actor group UNC5174 and their utilization of sophisticated tools like Snowlight and V Shell in ongoing cyber warfare efforts.

Understanding UNC5174: An Unconventional Threat Actor

At the outset, Crystal Morin provides an insightful analysis of the threat actor identified by Google's Mandiant Threat Group.

Crystal Morin [01:23]: "This threat actor was identified by Google's Mandiant threat Group about a year ago. The interesting thing about this threat actor is they are not the typical Chinese nation state APT like you expect. They're not a government-sponsored entity."

Contrary to typical state-sponsored Advanced Persistent Threats (APTs), UNC5174 appears to operate independently or as a contractor for the Chinese government. Crystal elaborates:

Crystal Morin [02:33]: "Not someone who works for the government, he's just his own independent person. They perhaps reached out to this person and said, hey, we've seen what you're doing online. You're really great. Do you want to come and work for us and support our efforts?"

This dual motivation—espionage and reselling access—sets UNC5174 apart, indicating a "double-dipping mercenary" approach where the actor serves both the Chinese government's interests and personal profiteering.

V Shell: A Stealthy Remote Access Tool

A significant portion of the discussion centers on V Shell, an advanced open-source Remote Access Tool (RAT) utilized by UNC5174.

Crystal Morin [04:57]: "Vshell is a fairly advanced open source tool... It allows for persistent access, command execution, data exfiltration... Vshell for this particular actor allowed a lot of stealth, the persistence for just prolonged access to these compromised networks."

Originally developed as a red team security tool, V Shell became a weapon when leaked to underground channels:

Crystal Morin [04:57]: "The developer actually abandoned it and removed V Shell from GitHub and from the web... but the binaries for V Shell were already in Telegram channels and they were leaked out toward the end of 2024."

Key features of V Shell include fileless execution and the use of WebSockets for Command and Control (C2), enhancing its stealth and making detection more challenging.

Snowlight Malware: Customizing the Cyber Arsenal

Another critical component discussed is Snowlight, customized malware integral to UNC5174's operations.

Crystal Morin [08:49]: "Snowlight is a custom malware... anytime we see the use of Snow Light, we can safely assume that it's probably being used by UNC5174."

Unlike open-source tools, Snowlight is unique to UNC5174, making it a reliable indicator of their activities. Its sophistication is evident in the way each deployment is slightly modified, complicating traditional IOC-based detection methods:

Crystal Morin [08:49]: "In this campaign we identified 40 different binaries so far associated with Snowlight... every deployment of the malware is slightly different."

Targeted Organizations and Geographical Focus

UNC5174's targeting strategy encompasses a diverse range of sectors and geographies:

Crystal Morin [13:41]: "This particular threat actor, we're seeing them target government agencies, educational institutions, non-governmental organizations, research facilities... mostly in the west, US and allies in Europe, and then a handful of organizations in Asia as well."

This broad targeting underscores the strategic intent behind UNC5174's campaigns, aiming to disrupt and extract valuable information from key institutions across multiple regions.

Defensive Strategies Against UNC5174

In addressing defenses, Crystal emphasizes the importance of behavior-based detection over traditional IOC methods:

Crystal Morin [14:23]: "Our threat research team wrote a detection analytic that is open source... if V Shell is deployed in your environment, then this detection alert should trigger for you."

She advises organizations to look for chained behaviors and engage in comprehensive investigations upon detecting indicators like V Shell, especially if they fall within the geographical focus or are part of targeted sectors.

Assessing the Sophistication of UNC5174

Crystal Morin rates UNC5174 as a highly sophisticated threat actor:

Crystal Morin [16:44]: "I would say this threat actor definitely took some steps to up their game... Snow White malware is a custom malware... the WebSocket C2 is pretty uncommon... they're really thin thinking through from beginning to end of campaign."

This level of sophistication indicates a well-resourced and highly capable group, differentiating them from typical cybercriminal entities or less advanced threat groups.

Challenges of Persistence and Fileless Malware

The use of fileless malware like V Shell poses significant challenges for detection and removal:

Crystal Morin [19:55]: "It makes it difficult to track because there's no code execution that exists... it's harder to just write simple detection analytics to capture behavior happening in your environment."

Moreover, without identifying the initial access vector, remediating the threat becomes arduous, as the actors can potentially regain entry through the same vulnerabilities.

Conclusion and Recommendations

Crystal concludes by reiterating the necessity for organizations to stay informed through threat intelligence, engage with Information Sharing and Analysis Centers (ISACs), and implement comprehensive detection strategies that focus on behavior rather than solely on static indicators.

Crystal Morin [20:58]: "If you're staying up on threat intelligence and you're reading these kinds of reports, sharing with your friends and ISACs and things like that, then that's how you can mitigate this from happening in the future."

Key Takeaways

• UNC5174 operates with a dual motive of espionage and reselling access, making them a versatile and unpredictable threat.
• V Shell and Snowlight are central to their operations, offering persistent and stealthy access to compromised networks.
• The threat actor targets a wide array of organizations, primarily in the West and select regions in Asia, focusing on institutions critical to national and economic security.
• Effective defense against such sophisticated threats requires moving beyond traditional IOC-based detections to more nuanced, behavior-based analytics.
• Staying updated with threat intelligence and collaborative defense strategies are crucial in mitigating risks posed by advanced threat actors like UNC5174.

Notable Quotes with Timestamps

• Crystal Morin [02:33]: "Not someone who works for the government, he's just his own independent person..."
• Crystal Morin [04:57]: "Vshell is a fairly advanced open source tool..."
• Crystal Morin [08:49]: "Snowlight is a custom malware..."
• Crystal Morin [16:44]: "I would say this threat actor definitely took some steps to up their game..."
• Crystal Morin [19:55]: "It makes it difficult to track because there's no code execution that exists..."
• Crystal Morin [20:58]: "If you're staying up on threat intelligence and you're reading these kinds of reports..."

This comprehensive summary encapsulates the critical discussions and insights shared during the episode, providing a clear understanding of the evolving cyber threats posed by China’s new cyber arsenal as revealed in Sysdig's research.