SNOWLIGHT
SNOWLIGHT is a malware dropper/downloader and VShell stager observed primarily on Linux, with later reporting also noting a Windows variant. It has been described as stealthy and memory-based in some intrusions, and is used to retrieve and deploy additional payloads, most notably the VShell remote access trojan/backdoor. Reported behavior includes downloading architecture-specific payloads, using HTTP GET requests to command-and-control infrastructure, decrypting payloads with a single-byte XOR key 0x99 in some variants, and enabling in-memory execution of follow-on malware. One Linux infection chain aligned to SNOWLIGHT used maliciously crafted filenames in a RAR archive to trigger Bash execution through unsafe shell handling routines such as ls, for, and find, then downloaded an ELF loader from 47.98.194.60, checked /tmp/log_de.log as an anti-reinfection marker, and ultimately executed VShell in memory via fexecve() while masquerading as a kernel worker thread such as [kworker/0:2].
SNOWLIGHT has been associated with multiple China-nexus threat clusters, including UNC5174 / CL-STA-1015, UNC6586, UAT-6382, and UAT-8302. Reporting also notes use by UNC6600 and UNC6603 in React2Shell exploitation activity. It has been deployed following exploitation of internet-facing applications and vulnerabilities, including SAP NetWeaver compromises, the Cityworks zero-day CVE-2025-0994, and React2Shell (CVE-2025-55182). In observed campaigns it has targeted government entities in South America and southeastern Europe, as well as broader victim sets affected by opportunistic exploitation of vulnerable React/Next.js workloads. Known related malware and tooling include VShell, Goreverse, MINOCAT, HISONIC, ANGRYREBEL.LINUX, and the Rust-based variant/stager SNOWRUST. Reported indicators directly tied to SNOWLIGHT activity include download/C2 infrastructure at 47.98.194.60, reactcdn.windowserrorapis[.]com, and 45.143.131[.]123:59999; sample hashes mentioned in the content include 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a, 5bde055523d3b5b10f002c5d881bed882e60fa47393dff41d155cab8b72fc5f4, and 8ef56b48ac164482dddf6a80f7367298d7b4d21be3aadf0ee1d82d63e3ac0c0a.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
SNOWLIGHT: A generic stager for the VSHELL malware family, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL. | SNOWLIGHT: A generic stager for the VSHELL malware, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL.
Since exploitation began last week, our team at Google Threat Intelligence Group (GTIG) has been tracking widespread activity as multiple threat clusters race to leverage React2Shell (CVE-2025-55182). | Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.
SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.
SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.
SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.
Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.
Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesUAT-8302's tooling overlaps with various APT groups that have been known to exploit both zero-day and n-day exploits to obtain initial access. We assess that UAT-8302 follows the same paradigm of obtaining initial access to its victims.
The attack begins with a spam email disguised as a beauty product survey invitation... Crucially, the email includes a .rar archive attachment (yy.rar)...
Execution
4 techniquesPost-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers.
Stage 1: Script triggers execution through Bash script interaction (e.g., for f in * ) leads to auto-execution of the embedded Base64 downloader. The filename evaluates to a Base64-decoded command piped to bash.
"The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests... This results in RCE" (CVE-2025-55182).
Once extracted, the archive contains a file with a specially crafted filename, which silently triggers malicious behavior during directory enumeration or scripting.
Privilege Escalation
1 techniqueStealth
4 techniquesThe payload isn’t hidden inside the file content or a macro, it's encoded directly in the filename itself... The XOR key used is 0x99, a simple but effective method for evading static inspection.
"piping the downloaded content directly into sh, enabling fileless execution" (CL-STA-1015 slt).
The decrypted shellcode is then injected into a combination of specified benign processes... If the process is named “mspaint.exe”, “browser”, or anything else, it will proceed to inject itself into dpapimg.exe, spoolsv.exe, etc.
Anything that expands filenames and processes them using eval, echo, printf, or logging can accidentally execute such a filename-payload.
Discovery
1 techniqueLateral Movement
1 techniquethe SNOWLIGHT memory-based malware downloader ... enabled attackers to deploy more payloads to target environments
Command and Control
4 techniques"downloaders to retrieve payloads from attacker command and control (C2) infrastructure" and multiple C2 endpoints; KSwapDoor uses mesh routing and encryption
Multiple payload retrieval and C2 interactions over HTTP/HTTPS using curl/wget; fm.js retrieved from GitHub; EtherRAT uses web retrieval loops.
China-Nexus Espionage: Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.
UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux dropper that abuses maliciously crafted filenames to trigger Bash payload execution through automated file handling routines such as ls, for, and find, leading to downloader execution and subsequent payload delivery.
Stager used to deliver or launch VShell payloads; also used by UAT-8302 in attack chains.
A lightweight downloader/stager used to retrieve and deploy next-stage payloads, notably VSHELL. It has also been observed downloading Sliver.
Downloader used post-exploitation to fetch additional payloads and/or establish command-and-control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.