Español
Taiwan’s web hosting industry has recently come under sustained attack from a Chinese advanced persistent threat (APT) group, according to new research from Cisco Talos.
UAT-7237: A Long-Term Campaign
The threat actor, tracked as UAT-7237, has been active since at least 2022 and appears to be linked to UAT-5918, a cluster associated with well-known Chinese APTs such as Volt Typhoon and Flax Typhoon.
However, Talos researchers note that UAT-7237’s specific techniques—such as selective web shell deployment, extensive use of Cobalt Strike, and reliance on legitimate VPN clients and RDP access—indicate it may operate as a distinct subgroup.
Intrusion Techniques
In one recent attack on a Taiwanese hosting provider, UAT-7237:
- Exploited publicly known vulnerabilities in internet-facing servers for initial access.
- Conducted reconnaissance to map out internal systems.
- Installed SoftEther VPN software to ensure persistent remote access.
For lateral movement, the attackers leveraged a mix of open-source tools and Windows Management Instrumentation (WMI) utilities such as SharpWMI and WMICmd.
Custom Malware: SoundBill
Talos also discovered a custom shellcode loader called SoundBill, written in Chinese. The tool includes binaries linked to the Chinese messaging app QQ and is capable of loading:
- Customized versions of Mimikatz for credential theft.
- Payloads for arbitrary command execution.
- Cobalt Strike beacons for long-term espionage and data theft.
The attackers further employed tools like JuicyPotato for privilege escalation, altered OS configurations to capture cleartext credentials, and used network scanning utilities such as Fscan and SMB scans to expand access.
Long-Term Access via VPN
Evidence suggests UAT-7237 has relied on SoftEther VPN for persistence since at least September 2022, highlighting the group’s focus on maintaining stealthy, long-term control over compromised networks.
Why This Matters
These campaigns underscore the growing sophistication of Chinese APTs targeting critical infrastructure and technology providers. By compromising hosting services, attackers gain indirect access to multiple downstream organizations, dramatically increasing the potential impact.
For defenders, this incident reinforces the importance of:
- Timely patching of internet-facing systems.
- Monitoring for anomalous VPN and RDP activity.
- Conducting regular audits for unauthorized privilege escalation.
- Deploying advanced threat detection to spot tools like Cobalt Strike early.
As APT activity continues to escalate, organizations operating in sensitive sectors must remain vigilant against persistent threats aimed at long-term infiltration and data theft.
