A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VELETRIX uses anti-analysis techniques, IPFuscation, and a callback mechanism to execute VShell. The campaign shows overlaps with UNC5174 (Uteus) and Earth Lamia, known China-nexus threat actors. The infrastructure utilizes tools like SuperShell, Cobalt Strike, and Asset Lighthouse System. Active since March 2025, this operation demonstrates advanced tactics, techniques, and procedures associated with Chinese state-sponsored threat groups. Author: AlienVault
Related Tags:
callback-execution
ipfuscation
cve-2025-31324
unc5174
earth lamia
veletrix
china-nexus
VSHell
Supershell
Associated Indicators:
BA4F9B324809876F906F3CB9B90F8AF2F97487167BEEAD549A8CDDFD9A7C2FDC
2206CC6BD9D15CF898F175AB845B3DEB4B8627102B74E1ACCEFE7A3FF0017112
BB6AB67DDBB74E7AFB82BB063744A91F3FECF5FD0F453A179C0776727F6870C7
A0F4EE6EA58A8896D2914176D2BFBDB9E16B700F52D2DF1F77FE6CE663C1426A
40450B4212481492D2213D109A0CD0F42DE8E813DE42D53360DA7EFAC7249DF4
37A37BC7255089FDD000FEB10780C2513C4416C8
F8CF927CB2BAF893B136BC5D90535D193FC73B75
BA8E2015FD0ABE944D6B546088451FF05DD24849
EA97EE5F81F157E2ECF729B6C43F0997C3AF20D3