Malware Hides in Memory, Evades Detection by Endpoint Tools
April 15, 2025 By Prajeet Nair
A Chinese state-backed hacking group relaunched its operations with a campaign after a year of silence using memory-only remote access Trojan that evades traditional detection mechanisms.
The threat actor, tracked as UNC5174, adopted a new tactic that involves deploying VShell, a powerful open-source remote access Trojan, through a modified version of its custom Snowlight malware, according to a report by Sysdig researchers. This approach avoids writing files to disk, which makes detection difficult for endpoint security tools that rely on file-based scanning.
"VShell's completely fileless execution is a game changer for Chinese threat actors," Sysdig researchers said. "The binary never touches disk, it's downloaded directly into memory and executed in a way that disguises it as a legitimate kernel process."
