SNOWLIGHT-to-VShell remote-access backdoor chain
Malware Activity
Summary
Hide ▲
Show ▼
The SNOWLIGHT dropper was used to install VShell, giving operators covert remote access on compromised hosts and hiding the backdoor as [kworker/0:2] in process lists. The chain combines delivery and stealth, making post-compromise control harder to spot. It represents a focused malware activity thread centered on persistence and concealment.
Related Happenings
MiniFast Windows DLL backdoor activity
Malware Activity
H score28
First: 26.05.2026 12:10
Last: 26.05.2026 12:10
Sources 1
About this happening:
The **MiniFast** backdoor adds a new **64-bit Windows DLL** implant to **Nimbus Manticore's** toolkit, increasing the group's ability to run commands, move files, and persist on c...
MiniFast Windows DLL backdoor activity
Malware ActivityAbout this happening: The **MiniFast** backdoor adds a new **64-bit Windows DLL** implant to **Nimbus Manticore's** toolkit, increasing the group's ability to run commands, move files, and persist on c...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware Activity
H score23
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware ActivityAbout this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...
Timeline
-
10.07.2026 14:30 2 articles · 3h ago
SNOWLIGHT dropper installs VShell backdoor on compromised hosts
Technical Analysis UpdateSOCRadar found a US-based rented server at 137.175.93[.]126 left open without a password and exposing roughly 800MB of files, including webshells, exploit scripts, scan results, typed command history, and command-and-control settings; the material showed the crew using SNOWLIGHT to install VShell for covert remote access, with VShell disguising itself as [kworker/0:2]. Sysdig had previously linked the same SNOWLIGHT-to-VShell chain to UNC5174 in April 2025.
Show sources
- Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites — thehackernews.com — 10.07.2026 14:30
- Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites — thehackernews.com — 10.07.2026 14:30