SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.snowlight (Back to overview)

SNOWLIGHT

Actor(s): UNC5174

According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell).

References
2025-05-13EclecticIQArda Büyükkaya
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
KrustyLoader SNOWLIGHT Vshell
2025-04-15sysdigAlessandra Rizzo
UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
SNOWLIGHT Sliver Vshell

There is no Yara-Signature yet.