Taiwan Web Infrastructure Targeted by UAT-7237 Using Custom Hacking Tools.
A Chinese-speaking advanced persistent threat (APT) group has been detected targeting Taiwan’s web infrastructure using tailored versions of open-source hacking tools, with the aim of maintaining long-term access inside high-value networks.
Taiwan Web Infrastructure Targeted by UAT-7237 Using Custom Hacking Tools
Cisco Talos has linked this campaign to an activity cluster identified as UAT-7237, which has been active since at least 2022. Researchers believe UAT-7237 is a sub-group of UAT-5918, a threat actor known for attacking Taiwan’s critical infrastructure since 2023.
“UAT-7237 recently carried out an intrusion targeting web infrastructure in Taiwan, relying heavily on modified open-source tools to evade detection and execute malicious operations,” Talos stated.
The attacks feature a custom shellcode loader named SoundBill, which is designed to decode and launch secondary payloads such as Cobalt Strike.
Although UAT-7237 shares some tactics with UAT-5918, their methods differ in several ways. These include using Cobalt Strike as the primary backdoor, selectively deploying web shells after the initial breach, and leveraging Remote Desktop Protocol (RDP) and SoftEther VPN clients for persistent access.
The intrusion process usually begins by exploiting known vulnerabilities in unpatched internet-facing servers. Once initial access is achieved, the attackers perform reconnaissance and fingerprinting to determine if the target warrants further exploitation.
“Unlike UAT-5918, which quickly deploys web shells, UAT-7237 uses SoftEther VPN (similar to Flax Typhoon) for persistence, later accessing compromised systems via RDP,” noted Talos researchers Asheer Malhotra, Brandon White, and Vitor Ventura.
After securing access, the attackers move laterally within the network, deploying SoundBill (based on VTHello) to launch Cobalt Strike. They also use JuicyPotato for privilege escalation and Mimikatz to steal credentials. Some recent attacks have involved an upgraded SoundBill that embeds Mimikatz directly to achieve the same results.
The group also uses FScan for open port scanning, modifies Windows Registry settings to disable User Account Control (UAC), and enables cleartext password storage.
Talos reported that UAT-7237’s SoftEther VPN configuration had Simplified Chinese set as the preferred language, suggesting fluency in the language.
This revelation comes as Intezer reports the discovery of a new variant of FireWood, a backdoor linked to the China-aligned Gelsemium group. First documented by ESET in November 2024, FireWood uses a kernel driver rootkit (usbdev.ko) to hide processes and execute attacker commands.
“The backdoor’s main functionality remains, but we observed changes in its implementation and configuration,” said Nicole Fishbein from Intezer. “It is unclear whether the kernel module was updated, as we could not obtain a sample.”
