A Chinese-speaking advanced persistent threat (APT) group known as UAT-7237 has been targeting web infrastructure in Taiwan using customized open-source tools to maintain long-term access in high-value environments. Cisco Talos has linked this activity to UAT-7237, active since at least 2022, and likely a sub-group of UAT-5918, which has attacked Taiwan’s critical infrastructure since 2023.
UAT-7237 uses tailored tools to avoid detection, including a shellcode loader called SoundBill that launches secondary payloads like Cobalt Strike. Unlike its predecessor, UAT-7237 favors Cobalt Strike as its main backdoor, selectively deploys web shells, and uses SoftEther VPN and remote desktop protocol (RDP) for persistent access.
The attack begins by exploiting unpatched internet-facing servers, followed by reconnaissance to assess target value. Instead of immediately deploying web shells like UAT-5918, UAT-7237 uses SoftEther VPN to maintain access and later connects via RDP.
Once inside, the group spreads across systems and deploys SoundBill, JuicyPotato for privilege escalation, and Mimikatz for credential theft. A newer version of SoundBill even embeds Mimikatz directly. The group also uses FScan to scan ports and modifies Windows Registry settings to disable User Account Control and enable cleartext password storage.
Talos noted the attackers configured their VPN client in Simplified Chinese, suggesting language proficiency. Meanwhile, Intezer reported a new variant of the FireWood backdoor, linked to the China-aligned Gelsemium group. FireWood uses a kernel rootkit to hide processes and execute commands, though its latest kernel module remains unconfirmed.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
