SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.snowlight (Back to overview)

SNOWLIGHT

Actor(s): UNC5174


According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell).

References
2025-05-13EclecticIQArda Büyükkaya
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
KrustyLoader SNOWLIGHT Vshell
2025-04-15sysdigAlessandra Rizzo
UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
SNOWLIGHT Sliver Vshell
2024-03-21MandiantAdam Aprahamian, Austin Larsen, Dan Kelly, Marcin Siedlarz, Mathew Potaczek, Michael Raggi
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
GOREVERSE SNOWLIGHT

There is no Yara-Signature yet.