The group, known for targeting government institutions and critical infrastructure across Southeast Asia and North America, has expanded their arsenal with a modified version of an open-source remote access tool that enables persistent access to compromised networks while evading traditional detection methods. Cybersecurity researchers have uncovered a significant evolution in the tactics of the Chinese threat group UNC5174, which has incorporated a new open-source tool and command-and-control (C2) infrastructure into their malicious operations. Security teams have observed the threat actors moving laterally through networks, harvesting credentials, and establishing multiple persistence mechanisms to ensure continued access even after initial remediation efforts. Analysis of the malware samples revealed UNC5174 had established a robust infrastructure including multiple redundant C2 servers across Eastern Europe and Southeast Asia, significantly expanding their operational resilience compared to previous campaigns. Sysdig researchers identified the malware during routine threat hunting operations, noting that the group had implemented several novel obfuscation techniques designed to bypass modern endpoint protection platforms. The group’s recent attacks have primarily targeted organizations in the telecommunications, defense, and energy sectors, with initial access typically gained through spear-phishing emails containing malicious Microsoft Office documents or exploiting unpatched public-facing applications. Most notably, UNC5174 has implemented a novel anti-analysis feature that detects virtualized environments by measuring subtle timing differences in CPU operations, allowing it to remain dormant when under analysis in security sandboxes. However, this latest campaign marks a strategic shift toward leveraging and modifying publicly available tools, a trend increasingly observed among sophisticated threat actors seeking to blend their activities with legitimate network traffic. This sophisticated evasion technique, combined with the group’s expanded infrastructure, presents significant challenges for defenders attempting to identify and mitigate this threat. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware utilizes a modified version of the open-source Sliver framework, which has been customized with additional modules for credential harvesting, keylogging, and screen capture capabilities. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 08:45:11 +0000