Chinese Hackers Utilize Covert Fileless VShell RAT

A Chinese state-sponsored hacking group has resumed its activities with a new campaign utilizing a memory-resident remote access Trojan (RAT) that successfully circumvents conventional detection mechanisms.

Operating under the name UNC5174, this threat actor has employed a new strategy involving the deployment of VShell, a sophisticated open-source RAT, through an altered version of its proprietary Snowlight malware. This method avoids creating files on disk, thereby complicating detection for traditional endpoint security solutions that depend primarily on file-based analysis.

According to Sysdig researchers, “The completely fileless execution of VShell represents a significant advancement for Chinese hacking groups. The binary is never written to disk; instead, it is directly downloaded into memory and executed in a manner that camouflages it as a legitimate process within the kernel.”

The campaign was first identified in January 2025 and specifically targets Linux-based systems. It initiates with a malicious bash script that deploys various payloads, including Snowlight and the Sliver post-exploitation toolkit. Snowlight serves as a dropper that loads VShell directly into memory via memfd_create, a Linux syscall meant for creating anonymous memory files. To further evade detection, the malware disguises itself as [kworker/0:2], simulating a kernel worker thread.

In contrast to standard command-and-control tactics that utilize HTTP or DNS protocols, VShell communicates using WebSockets. This bidirectional protocol operates over HTTPS, enhancing the stealthiness of the operation. The researchers highlighted that WebSockets provide encrypted, real-time communication, making it difficult for firewalls and intrusion detection systems to monitor.

“The utilization of WebSockets in VShell is both uncommon and highly effective,” Sysdig noted. “This communication channel not only encrypts all payloads but also blends with legitimate traffic, allowing UNC5174 to circumvent conventional defensive measures.”

The group’s operational infrastructure includes domain names designed to mimic prominent services like Cloudflare, Google, and Telegram, a method known as domain squatting. C2 servers associated with this campaign, such as vs.gooogleasia[.]com and apib.googlespays[.]com, leverage Google Compute Engine virtual machines, providing an additional layer of obfuscation.

UNC5174 is believed to operate as a state contractor for China, previously targeting Western governments, think tanks, and critical infrastructure sectors. Their motives appear twofold: gathering intelligence for the Chinese government and selling access to breached environments on underground markets. The degree of customization in this campaign is noteworthy; VShell is not simply a standalone tool but rather integrated with Snowlight to closely align with UNC5174’s unique tactics, techniques, and procedures, making replication by other actors more challenging.

Despite the complexity of this threat, Sysdig customers and users of the Falco open-source platform can detect VShell deployments using behavioral rules designed to flag memory-only execution and suspicious memory allocation patterns. These rules specifically monitor the invocation of memfd_create, fexecve, and large anonymous memory mappings typical of fileless malware.

The UNC5174 campaign remains active, with new indicators of compromised and spoofed domains continuing to emerge. Security teams are advised to maintain vigilance against suspicious domains, unusual memory usage patterns, and stealthy service installations in Linux environments.