Chinese Hackers Deploy Stealthy Fileless VShell RAT

A Chinese state-backed hacking group relaunched its operations with a campaign after a year of silence using memory-only remote access Trojan that evades traditional detection mechanisms.

See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It

The threat actor, tracked as UNC5174, adopted a new tactic that involves deploying VShell, a powerful open-source remote access Trojan, through a modified version of its custom Snowlight malware, according to a report by Sysdig researchers. This approach avoids writing files to disk, which makes detection difficult for endpoint security tools that rely on file-based scanning.

“VShell’s completely fileless execution is a game changer for Chinese threat actors,” Sysdig researchers said. “The binary never touches disk, it’s downloaded directly into memory and executed in a way that disguises it as a legitimate kernel process.”

First observed in late January 2025, the campaign targets Linux-based systems and begins with a malicious bash script that delivers multiple payloads, including Snowlight and the Sliver post-exploitation toolkit.

Snowlight acts as a dropper, loading VShell directly into memory using memfd_create, a Linux syscall designed to create anonymous memory files. The malware disguises itself as [kworker/0:2], mimicking a kernel worker thread to remain under the radar.

Unlike traditional command-and-control methods that use HTTP or DNS, VShell communicates using WebSockets, a bidirectional protocol that runs over HTTPS, making the campaign even more elusive. The researchers said WebSockets provide encrypted, real-time communication that’s difficult for firewalls and intrusion detection systems to monitor.

“The use of WebSockets in VShell is rare and extremely effective,” Sysdig said. “This channel not only encrypts all payloads but also blends into legitimate traffic, allowing UNC5174 to bypass traditional defenses.”

The group’s infrastructure includes domain names that mimic well-known services such as Cloudflare, Google and Telegram, a tactic called domain squatting. This campaign’s C2 servers, like vs.gooogleasia[.]com and apib.googlespays[.]com, are hosted on Google Compute Engine virtual machines, which adds another layer of obfuscation.

UNC5174 is believed to be a Chinese government contractor that previously targeted Western governments, think tanks and critical infrastructure organizations. The group’s motivations appear twofold: intelligence gathering for the Chinese state and selling access to compromised environments on underground markets.

The campaign is distinct for its the high degree of customization. VShell isn’t deployed as a standalone tool. It integrates tightly with Snowlight and is tailored to UNC5174’s tactics, techniques and procedures. Researchers believe this reduces the likelihood of replication by other threat actors and increases attribution difficulty.

“This actor isn’t just using off-the-shelf tools. They’re modifying open-source malware to create a hybrid attack chain that’s nearly invisible,” Sysdig said. “That’s what makes them dangerous.”

Despite the sophistication, Sysdig’s customers and Falco open-source users can detect VShell deployments using behavioral rules that monitor for memory-only execution and suspicious memory allocations. These include rules that flag usage of memfd_create, fexecve and large anonymous memory mappings that are typical of fileless malware.

The UNC5174 campaign is active, with new indicators of compromised and spoofed domains still surfacing. Security teams are warned to monitor for suspicious domains, anomalous memory usage patterns and stealthy service installations across Linux environments.