Skip to main content
Mallory
Back to threat actors
🇨🇳 CN2 malware familiesExploits CVEs in the wild

UNC6586

Also known asunc6586

UNC6586 is a suspected China-nexus cyber-espionage threat cluster. The provided reporting links the group to exploitation of the React Server Components vulnerability CVE-2025-55182 ("React2Shell") for initial access. In those incidents, UNC6586 retrieved a script via curl or wget that downloaded and executed the SNOWLIGHT downloader payload. SNOWLIGHT is described as a VShell stager or downloader/backdoor that makes HTTP GET requests to command-and-control infrastructure to retrieve additional payloads disguised as legitimate files. Google Threat Intelligence Group identified UNC6586 as one of multiple China-nexus clusters exploiting React2Shell globally. The content also notes SNOWLIGHT has been observed in intrusions attributed to UNC6586 as well as other China-nexus clusters including UNC5174 and UAT-6382. No additional aliases or sub-groups for UNC6586 are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics7 techniquesĂ—N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.004
Unix Shell
TA0008
Lateral Movement
1 technique
T1210
Exploitation of Remote Services
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SNOWLIGHTSNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.3May 5, 2026
VShellSNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.1May 5, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-55182React2ShellIn the wildEvidence1

On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation...

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
the hacker newsNews
May 5, 2026
China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

Threat cluster associated with use of the SNOWLIGHT VShell stager.

Read more
talos intelligence blogNews
May 5, 2026
UAT-8302 and its box full of malware

China-nexus APT cluster referenced as associated with SNOWLIGHT-linked intrusions.

Read more
f5 communityNews
Dec 30, 2025
F5 Threat Report - December 31st, 2025 | DevCentral

Listed as a threat actor associated in the report’s aggregated section with exploitation activity around React2Shell (CVE-2025-55182) and related RSC/Next.js vulnerabilities.

Read more
f5 communityNews
Dec 30, 2025
F5 Threat Report - December 31st, 2025 | DevCentral

Named in an aggregated list of actors associated with React2Shell (CVE-2025-55182) exploitation activity (UNC-style naming suggests an uncategorized cluster).

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

UNC6586 | Mallory