Find notable cyber news and cases, enriched with sources, timelines, and signals.

SNOWLIGHT-to-VShell remote-access backdoor chain

Malware Activity
First reported
Last updated
Happening score
H score 51
1 unique sources, 1 articles

Summary

Hide ▲

The SNOWLIGHT dropper was used to install VShell, giving operators covert remote access on compromised hosts and hiding the backdoor as [kworker/0:2] in process lists. The chain combines delivery and stealth, making post-compromise control harder to spot. It represents a focused malware activity thread centered on persistence and concealment.

Related Happenings

MiniFast Windows DLL backdoor activity

Malware Activity
H score28 First: 26.05.2026 12:10 Last: 26.05.2026 12:10 Sources 1

About this happening: The **MiniFast** backdoor adds a new **64-bit Windows DLL** implant to **Nimbus Manticore's** toolkit, increasing the group's ability to run commands, move files, and persist on c...

BPFDoor Linux backdoor with HTTPS-hidden trigger packets

Malware Activity
H score23 First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...

Timeline

  1. 10.07.2026 14:30 2 articles · 3h ago

    SNOWLIGHT dropper installs VShell backdoor on compromised hosts

    Technical Analysis Update

    SOCRadar found a US-based rented server at 137.175.93[.]126 left open without a password and exposing roughly 800MB of files, including webshells, exploit scripts, scan results, typed command history, and command-and-control settings; the material showed the crew using SNOWLIGHT to install VShell for covert remote access, with VShell disguising itself as [kworker/0:2]. Sysdig had previously linked the same SNOWLIGHT-to-VShell chain to UNC5174 in April 2025.

    Show sources