SNOWLIGHT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

SNOWLIGHT

Actor(s): UNC5174

According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell).

2025-05-13 ⋅ EclecticIQ ⋅ Arda Büyükkaya
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
KrustyLoader SNOWLIGHT Vshell

2025-04-15 ⋅ sysdig ⋅ Alessandra Rizzo
UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
SNOWLIGHT Sliver Vshell

2024-03-21 ⋅ Mandiant ⋅ Adam Aprahamian, Austin Larsen, Dan Kelly, Marcin Siedlarz, Mathew Potaczek, Michael Raggi
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
GOREVERSE SNOWLIGHT

There is no Yara-Signature yet.