UNC5174 is a Chinese state-sponsored threat actor, widely assessed by multiple cybersecurity firms—including Mandiant, Sysdig, and HivePro—as operating on behalf of the Chinese government, potentially as a contractor for agencies such as the Ministry of State Security. The group is noted for its sophisticated cyber espionage operations and has been active since at least 2023.
Key Characteristics
• Targets: UNC5174 primarily targets Western countries such as the United States, Canada, and the United Kingdom, as well as organizations in the Asia-Pacific region. Victims include research institutions, government agencies, think tanks, technology companies, non-governmental organizations (NGOs), and critical infrastructure sectors such as energy, defense, and healthcare.
• Motivations: The group’s main objectives are espionage and intelligence collection, often prioritizing long-term persistence over destructive actions. There is also evidence that UNC5174 acts as an initial access broker, selling or brokering access to compromised environments to other actors.
Tactics, Techniques, and Procedures (TTPs)
• Initial Access: UNC5174 exploits vulnerabilities in public-facing applications, notably F5 BIG-IP and ConnectWise ScreenConnect, to gain initial access to target networks.
• Persistence: After gaining access, the group uses custom and open-source tools to establish and maintain long-term access.
• Custom and Open-Source Tools: UNC5174 has used custom malware such as SNOWLIGHT (a dropper for fileless payloads) and GOHEAVY, as well as open-source tools like SUPERSHELL and VShell (a Remote Access Trojan popular among Chinese-speaking cybercriminals).
• Defense Evasion: The group leverages living-off-the-land techniques and encrypted command and control (C2) channels, often using WebSockets over HTTPS to blend malicious traffic with legitimate network activity, making detection difficult.
• Domain Impersonation: UNC5174 uses domain squatting and impersonation (e.g., spoofing Cloudflare, Telegram, and Google domains) for phishing and social engineering.
Associated IP addresses
| 34.91.68.192 | Resolved from C2 domain sex666vr[.]com |
| 103.248.61.36 | Malware hosting |
| 103.30.76.206 | SNOWLIGHT handshake (TCP 443) |
| 107.173.111.26 | GOREshell C2 server |
| 118.140.151.242 | HGC Global Communications Limited |
| 128.199.124.136 | C2 server |
| 142.93.212.42 | Suspected PurpleHaze infrastructure |
| 142.93.214.219 | GOREshell C2 server |
| 143.244.137.54 | Suspected PurpleHaze infrastructure |
| 172.245.68.110 | SUPERSHELL C2 |
| 45.13.199.209 | Exfiltration IP address |
| 65.38.120.110 | ShadowPad C2 server |