UNC5174

UNC5174 is a China-nexus threat actor assessed by multiple vendors as an initial access-focused operator or contractor with ties to China’s Ministry of State Security (MSS). Known aliases include Uteus, Uetus, CL-STA-1015, and Houken; ANSSI reported with suspicion that the Houken intrusion set is operated by the same actor previously described by Mandiant as UNC5174. Cisco Talos described UNC5174 as an opportunistic initial access group, and Mandiant assessed with moderate confidence that it is a former member of Chinese hacktivist collectives using the persona Uteus. Talos further noted the persona uetus is suspected to be a former member of Teng Snake, also known as Xiaoqiying or Genesis Day. The actor appears primarily focused on obtaining and transferring access. Mandiant reported UNC5174 attempting to sell access to compromised U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023. Talos stated that in 2023 UNC5174 targeted organizations in North America, the United Kingdom, Australia, and Southeast Asia by exploiting known internet-facing vulnerabilities and then monetized and transferred that access to state-sponsored groups that conducted longer-term espionage. Reporting also describes UNC5174 as targeting Western countries including the United States, the United Kingdom, and Canada. Observed targeting includes U.S. and UK government organizations, Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and NGOs, and institutions in Asia. Additional reporting links UNC5174 or the related Houken intrusion set to attacks against governmental, telecommunications, media, finance, and transport sectors in France, as well as active exploitation of SAP NetWeaver and React/Next.js environments. UNC5174 has been observed exploiting multiple public-facing vulnerabilities, including CVE-2023-46747 in F5 BIG-IP TMUI, CVE-2024-1709 in ConnectWise ScreenConnect, CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in the Linux kernel, CVE-2022-30525 in Zyxel firewalls, vulnerabilities in Ivanti Cloud Services Appliance devices used in the Houken campaign, and SAP NetWeaver flaws including CVE-2025-31324. Reporting also states UNC5174 actively exploited React2Shell (CVE-2025-55182). NVISO additionally determined with confidence during incident response that UNC5174 triggered exploitation of CVE-2025-41244, a VMware guest service discovery local privilege escalation flaw. Tradecraft includes aggressive scanning for vulnerable internet-facing systems, reconnaissance, web application fuzzing, attempted theft of AWS configuration and credential files, installation of downloaders, and use of both bespoke and open-source tooling for persistence and follow-on access. Exposed attacker bash history reportedly showed extensive reconnaissance and scanning activity against prominent universities in the U.S., Oceania, and Hong Kong, and identified think tanks in the U.S. and Taiwan as strategic targets. Malware and tooling associated with UNC5174 include SNOWLIGHT, VShell, Sliver, Goreverse, Cobalt Strike beacons, and the SUPERSHELL framework. Multiple sources state UNC5174 used SNOWLIGHT as a stager/downloader to retrieve VShell and Sliver; EclecticIQ also reported a multi-stage chain involving SNOWLIGHT, VShell, and the SSH backdoor Goreverse on SAP NetWeaver systems. Unit 42 and other reporting linked UNC5174 to deployment of Snowlight and Vshell during exploitation of React2Shell. IIJ reported observing a Windows version of SNOWLIGHT used by UNC5174 in October 2025, whereas earlier SNOWLIGHT activity had been mostly Linux-based. NVISO noted that some VShell intrusions have been publicly attributed to UNC5174, while also cautioning that VShell use is not exclusive to this actor. Overall, the available reporting consistently characterizes UNC5174 as a PRC-linked, MSS-associated access operator that exploits exposed edge and enterprise applications at scale, establishes footholds with lightweight loaders and remote access tooling, and in some cases brokers or transfers that access for downstream espionage operations.