Chinese espionage group leans on open-source tools to mask intrusions | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/chinese-espionage-group-unc5174-open-source-tools\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Chinese espionage group leans on open-source tools to mask intrusions\"> <meta property=\"og:description\" content=\"Sysdig researchers say UNC5174\u2019s use of open-source tools like VShell and WebSockets has likely helped the group mask its presence in other campaigns.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/chinese-espionage-group-unc5174-open-source-tools\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-15T15:02:42+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-15T15:02:45+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1742994400g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1744125154g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84180\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84180\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchinese-espionage-group-unc5174-open-source-tools%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchinese-espionage-group-unc5174-open-source-tools%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-84180 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/chinese-espionage-group-unc5174-open-source-tools\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.923340961098\">\n<div class=\"single-article__header-content\" readability=\"33.781990521327\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/chinese-espionage-group-unc5174-open-source-tools\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Sysdig researchers say UNC5174\u2019s use of open-source tools like VShell and WebSockets has likely helped the group mask its presence in other campaigns. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84180\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"450\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions.jpg?resize=640%2C450&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg 2065w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=300,211 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=768,540 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=1024,720 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=1536,1080 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=2048,1440 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=600,422 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=239,168 239w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=479,337 479w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=960,675 960w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-2.jpg?resize=1199,843 1199w\" sizes=\"(max-width: 960px) 100vw, 960px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"48.728651568668\"><body readability=\"98.259467040673\"><\/p>\n<p>A Chinese state-sponsored hacking group has been observed using recently released open-source offensive security tools and other tactics in an effort to blend in with more common cybercriminal activity.<\/p>\n<p>The group, UNC5174, is an espionage-minded hacking group that is believed to have ties to the Chinese government and targets Western governments, technology companies, research institutions and think tanks.<\/p>\n<p>In a new campaign <a href=\"https:\/\/sysdig.com\/blog\/unc5174-chinese-threat-actor-vshell\/\">observed<\/a> by researchers at Sysdig, the group was seen using VShell \u2014 an open-source Remote Access Trojan made by a Chinese developer and popular among Chinese cybercriminals \u2014 to carry out post-exploitation activity.<\/p>\n<p>They were also spotted using WebSockets \u2014 a set of open-source communication protocols \u2014 to communicate with command-and-control infrastructure, masking much of its malicious traffic through encrypted transmissions.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This was apparently effective, as Sysdig threat research engineer Alessandra Rizzo noted that \u201cour runtime capture confirms that, except for a few random words, we found nothing of note in the network traffic once the connection was upgraded to a WebSocket.\u201d<\/p>\n<p>The observed behavior aligns with a broader trend researchers are seeing, with more advanced and state-sponsored threat actors foregoing bespoke tooling in favor of open source or cheaper tools used by \u201cscript kiddies,\u201d or lower technical cybercriminals. <\/p>\n<p>This approach \u201cseems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government,\u201d Rizzo wrote. It\u2019s also notable because \u201cnearly all\u201d of UNC5174\u2019s tooling observed until the past year had been custom-built and \u201cnot easily-copied.\u201d<\/p>\n<p>UNC5174 was seen using both Vshell and WebSockets as recently as January, even as the group continued to rely on custom malware for post-exploitation while targeting Linux-based systems.<\/p>\n<p>Indeed, one of the calling cards of UNC5174 is the use of SNOWLIGHT, a malware family <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/initial-access-brokers-exploit-f5-screenconnect\">first identified<\/a> by researchers at Mandiant that acts in tandem with VShell to deploy fileless malware on victim systems.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In this latest campaign, the actors use a payload called \u201cdnsloger\u201d that is part of the SNOWLIGHT family. They took actions that reflected in-depth knowledge of Linux-based operating systems, including methods for maintaining persistence, defensive evasion, and injection techniques.<\/p>\n<p>It\u2019s not clear how UNC5174 is obtaining initial access to victim systems, but included among the artifacts discovered by Sysdig researchers are a number of command-and-control domains that suggest that typosquatted website domains and phishing tactics were used.<\/p>\n<p>The findings align with other recently reported activity around UNC5174.<\/p>\n<p>In 2024, the French Cybersecurity Agency ANSSI <a href=\"https:\/\/www.cert.ssi.gouv.fr\/uploads\/CERTFR-2025-CTI-004.pdf\">observed<\/a> an attacker using the same tactics, techniques and procedures as UNC5174\u2019s exploitation of vulnerabilities in Ivanti\u2019s Cloud Service Appliance product, giving them remote code execution privileges on infected machines. That attack included the use of a zero-day flaw (CVE2024-8190) days before Ivanti published a security advisory.<\/p>\n<p>But further investigation of infected victims by the agency found that the group had used \u201ccommon intrusion set\u201d to gain initial access, and suggested that UNC5174 may have been selling its access to the highest bidder.<\/p>\n<p>\u201cModerately sophisticated and discreet, this intrusion set is characterised by the use of intrusion tools largely available as open source and by the \u2014 already publicly reported \u2014 use of a rootkit10 code,\u201d the agency wrote. \u201cPost-exploitation activities do nevertheless differ from one incident to the next, which supports the hypothesis of an intrusion set being used as a means to secure initial access points, to then be sold off or entrusted to other operators.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Rizzo wrote that UNC5174\u2019s use of open-source tools like VShell and WebSockets has likely helped the group mask its presence in other, yet-to-be discovered campaigns.<\/p>\n<p>\u201cThe lack of public documentation on VShell being employed by this threat actor is telling, as the evidence we have gathered shows that this campaign has been active since at least November 2024,\u201d Rizzo noted.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6779026217228\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/chinese-espionage-group-unc5174-open-source-tools\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chinese espionage group leans on open-source tools to mask intrusions<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4143,271,282,659,2974,4144],"tags":[4145,277,286,660,2976,4146],"class_list":["post-7543","post","type-post","status-publish","format-standard","hentry","category-anssi","category-china","category-cybercrime","category-remote-access-trojan","category-sysdig","category-unc5174","tag-anssi","tag-china","tag-cybercrime","tag-remote-access-trojan","tag-sysdig","tag-unc5174"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/anssi\/\" rel=\"category tag\">ANSSI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/remote-access-trojan\/\" rel=\"category tag\">Remote Access Trojan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sysdig\/\" rel=\"category tag\">sysdig<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unc5174\/\" rel=\"category tag\">UNC5174<\/a>","tag_info":"UNC5174","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7543"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7543\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7543,"date":"2025-04-15T10:02:42","date_gmt":"2025-04-15T15:02:42","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84180"},"modified":"2025-04-15T10:02:42","modified_gmt":"2025-04-15T15:02:42","slug":"chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/15\/chinese-espionage-group-leans-on-open-source-tools-to-mask-intrusions\/","title":{"rendered":"Chinese espionage group leans on open-source tools to mask intrusions"},"content":{"rendered":"