UNC5174

UNC5174 is a China-nexus threat actor tracked by Mandiant and others, also referred to as Uteus/Uetus, CL-STA-1015, and by ANSSI as Houken, which ANSSI suspects is operated by the same actor previously described as UNC5174. Reporting describes UNC5174 as a contractor or suspected initial access broker with ties to, or acting on behalf of, China’s Ministry of State Security (MSS), focused primarily on access operations and in some cases selling access to compromised organizations. Mandiant assessed with moderate confidence that UNC5174 is a PRC-linked actor and indicated it may be a former member of Chinese hacktivist collectives. Observed targeting includes U.S. defense contractors, U.S. and UK government entities, institutions in Asia, Western countries including the U.S., UK, and Canada, research and education institutions in Southeast Asia and the U.S., Hong Kong businesses, charities and NGOs, and think tanks in the U.S. and Taiwan. Additional reporting links Houken/UNC5174 activity in France to targeting of governmental, telecommunications, media, finance, and transport sectors via Ivanti Cloud Services Appliance zero-days. UNC5174 has also been linked to exploitation of SAP NetWeaver systems and React Server Components/Next.js environments, and to scanning and exploitation activity against internet-facing systems. Tradecraft described in the content includes aggressive exploitation of public-facing vulnerabilities, reconnaissance, web application fuzzing, vulnerability scanning, attempted theft of AWS configuration and credential files, installation of downloaders, and deployment of backdoors and remote access tooling. Vulnerabilities directly mentioned in connection with UNC5174 include CVE-2023-46747 (F5 BIG-IP TMUI), CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2023-22518 (Atlassian Confluence), CVE-2022-0185 (Linux kernel), CVE-2022-30525 (Zyxel firewall), exploitation of vulnerable SAP NetWeaver systems, active exploitation of React2Shell/CVE-2025-55182, and targeting of unpatched SAP NetWeaver instances for CVE-2025-31324. NVISO also reported UNC5174 triggered exploitation of CVE-2025-41244, a VMware guest service discovery local privilege escalation vulnerability, in incident response engagements. Malware and tooling associated with UNC5174 in the provided content include SNOWLIGHT, VShell/VSHELL, Sliver, Cobalt Strike beacons, GOREVERSE/Goreverse SSH backdoor, SUPERSHELL, and AquaTunnel-related tooling noted as previously linked to UNC5174. UNC5174 has been observed using SNOWLIGHT as a stager/downloader to retrieve Sliver and VSHELL, and reporting on SAP NetWeaver exploitation specifically describes a multi-stage chain involving SNOWLIGHT, VShell, and GOREVERSE. The actor has also been linked to widespread use of VShell infrastructure, although the content notes VShell usage is not exclusive to UNC5174. Known aliases and related names directly mentioned in the content: UNC5174, Uteus, Uetus, CL-STA-1015, CLSTA1015, and Houken.