CyberWire Daily

China’s new cyber arsenal revealed. [Research Saturday]

Apr 26, 2025

Crystal Morin, a Cybersecurity Strategist from Sysdig, dives into the complex world of UNC5174, a Chinese state-sponsored threat actor. She reveals their evolution from SNOWLIGHT to the sophisticated VShell RAT, showcasing a new array of cyber tools targeting Linux systems. Morin explains how their tactics blur attribution through domain squatting and fileless malware, posing serious risks to research institutions and critical infrastructure. This insightful discussion highlights the urgent need for robust cybersecurity measures amid escalating threats.

25:33

Creator website

Episode guests

Crystal Morin

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The emergence of independent contractors in state-sponsored cyber warfare complicates attribution and underscores dual motives of espionage and profit.

The misuse of vShell, an open-source remote access tool, exemplifies the risks associated with security tools being exploited by cybercriminals.

Deep dives

The Rise of Contractor-Based Threat Actors

A significant point discussed revolves around the emergence of independent contractors in state-sponsored cyber warfare, specifically focusing on an individual linked to the Chinese government. This actor operates autonomously, taking on espionage tasks while potentially reselling access to stolen data. The dual motives of espionage and financial gain illustrate a departure from traditional government-sponsored activities, as this contractor exploits vulnerabilities for both national interests and personal profit. This unique dynamic highlights the evolving landscape of cyber threats, where contractual arrangements complicate the attribution and understanding of malicious activities.

Intro

2min

Unraveling Chinese Cyber Threats

10min

The Importance of Secure Access and Targeted Threats

2min

Defending Against Advanced Cyber Threats

6min

Navigating the Challenges of Fileless Malware in Cybersecurity

2min

Today we are joined by Crystal Morin, Cybersecurity Strategist from Sysdig, as she is sharing their work on "UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell." UNC5174, a Chinese state-sponsored threat actor, has resurfaced with a stealthy cyber campaign using a new arsenal of customized and open-source tools, including a variant of their SNOWLIGHT malware and the VShell RAT.

Sysdig researchers discovered that the group targets Linux systems through malicious bash scripts, domain squatting, and in-memory payloads, indicating a high level of sophistication and espionage intent. Their evolving tactics, such as using spoofed domains and fileless malware, continue to blur attribution and pose a significant threat to research institutions, critical infrastructure, and NGOs across the West and Asia-Pacific regions.

The research can be found here:

UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell

Learn more about your ad choices. Visit megaphone.fm/adchoices

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

CyberWire Daily

China’s new cyber arsenal revealed. [Research Saturday]

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

The Rise of Contractor-Based Threat Actors

Introducing vShell: An Evolving Tool for Cyber Attacks

Targeted Sectors and Defensive Strategies

The research can be found here:

Remember Everything You Learn from Podcasts