UNC5174 / Chinese eCrime-Espionage

UNC5174 / Chinese eCrime-Espionage (also known as UNC5174, uteus (forum alias)) is a state-sponsored advanced persistent threat group attributed to China, active since 2024. The group primarily targets US/UK defense, research institutions, Asian governments sectors.

Overview & Attribution

Chinese threat actor blending espionage with cybercrime, exploiting Ivanti, F5, and Atlassian vulnerabilities using open-source C2 frameworks to target defense and research institutions.

Threat Assessment

UNC5174 has been active since 2024, attributed to China. The group is known for targeting US/UK defense, research institutions, Asian governments using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.

Attribution: China
Active since: 2024
Primary targets: US/UK defense, research institutions, Asian governments
Also known as: UNC5174, uteus (forum alias)

Arsenal & Tools

UNC5174 employs a diverse arsenal of custom and shared tooling:

SNOWLIGHT: Custom/shared tooling used in operations
VShell: Custom/shared tooling used in operations
GOREVERSE: Custom/shared tooling used in operations
Sliver: Custom/shared tooling used in operations
SUPERSHELL: Custom/shared tooling used in operations

Targeting & Operations

The group focuses on US/UK defense, research institutions, Asian governments sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.

Operational Pattern

UNC5174 is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1190 Exploit Public-Facing App	Ivanti/F5/Confluence zero-days
Execution	T1059.004 Unix Shell	Bash-based payloads
Persistence	T1053.003 Cron	Cron job persistence
Defense Evasion	T1036 Masquerading	Open-source tool disguise
C2	T1572 Protocol Tunneling	VShell/Sliver tunneling
C2	T1071.001 Web Protocols	HTTPS C2

Notable Campaigns

UNC5174 has been linked to multiple significant campaigns targeting US/UK defense, research institutions, Asian governments organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.

Long-term espionage: Multi-year intrusions into government and defense networks
Supply chain targeting: Compromise of technology providers and managed service providers
Zero-day exploitation: Use of previously unknown vulnerabilities for initial access

Detection & Defense

Threat intelligence integration: Monitor for known UNC5174 IOCs and TTPs in SIEM/EDR platforms
Network monitoring: Detect C2 patterns associated with SNOWLIGHT and related tooling
Email security: Implement advanced phishing detection for spearphishing campaigns
Endpoint detection: Deploy behavioral detection rules for known UNC5174 TTPs
Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage

Defend Against UNC5174

Mjolnir Security provides specialized capabilities to detect and respond to UNC5174 operations.

APT DetectionThreat HuntingIncident ResponseMDR ServicesThreat Intelligence

APT Threat Hunting Proactive hunting for UNC5174 TTPs, tooling artifacts, and infrastructure indicators within your environment.
Threat Intelligence Continuous monitoring of UNC5174 campaigns and infrastructure changes with actionable intelligence for your defense team.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: January 10, 2026