Post

Chinese APT Group UAT-7237 Targets Taiwan’s Web Infrastructure with Customized Malware Toolset

Discover how the Chinese-speaking APT group UAT-7237, linked to UAT-5918, is targeting Taiwan's web infrastructure using customized open-source tools to establish long-term access. Learn about their tactics, tools, and the implications for cybersecurity.

Posted
By Vitus White
3 min read
Chinese APT Group UAT-7237 Targets Taiwan’s Web Infrastructure with Customized Malware Toolset

TL;DR

A Chinese-speaking Advanced Persistent Threat (APT) group, tracked as UAT-7237, has been targeting Taiwan’s web infrastructure using customized open-source tools to maintain long-term access. Linked to the info-stealing threat actor UAT-5918, UAT-7237 employs tactics like exploiting unpatched servers, deploying custom loaders (SoundBill), and leveraging SoftEther VPN for persistence. Their operations highlight the growing sophistication of state-sponsored cyber threats targeting critical infrastructure.

Introduction

In an era where cybersecurity threats are increasingly sophisticated, the emergence of UAT-7237, a Chinese-speaking Advanced Persistent Threat (APT) group, has raised alarms. This group, believed to be a subgroup of UAT-5918, has been actively targeting Taiwan’s web infrastructure since at least 2022. Their modus operandi involves the use of customized open-source tools, designed to evade detection and establish long-term persistence in high-value environments.

This article delves into the tactics, techniques, and procedures (TTPs) employed by UAT-7237, their toolset, and the broader implications for cybersecurity in the region.

UAT-7237 is a Chinese-speaking APT group that has been observed targeting web infrastructure entities in Taiwan. Researchers at Cisco Talos have identified significant overlaps between UAT-7237 and UAT-5918, another info-stealing threat actor active since 2023. UAT-5918 is known for using web shells and open-source tools for persistence and credential theft. Talos experts suggest that UAT-7237 may operate as a subgroup of UAT-59181.

According to the Talos report, UAT-7237 relies heavily on customized open-source tools to conduct malicious activities while evading detection. Their primary objective is to establish long-term persistence in high-value victim environments.

Tactics, Techniques, and Procedures (TTPs)

Initial Access and Reconnaissance

UAT-7237 gains initial access by exploiting unpatched servers. Once inside the network, they perform rapid reconnaissance using commands such as:

  • nslookup
  • systeminfo
  • ping

Unlike traditional APT groups that rely on web shells, UAT-7237 establishes persistence through SoftEther VPN and Remote Desktop Protocol (RDP).

Lateral Movement and Privilege Escalation

To move laterally across the network, UAT-7237 leverages:

  • SMB shares to identify accessible systems.
  • Built-in Windows tools like SharpWMI and WMICmd to execute commands and gather system information.

For privilege escalation, the group employs tools like JuicyPotato and modifies Windows settings, such as:

  • Disabling User Account Control (UAC).
  • Enabling cleartext password storage.

Custom Toolset: SoundBill and Beyond

UAT-7237 deploys a custom shellcode loader named SoundBill, which is capable of decoding and executing shellcode from files like ptiti.txt. SoundBill can run a variety of payloads, including:

  • Mimikatz for credential theft.
  • Cobalt Strike for long-term access.

Interestingly, SoundBill includes two built-in programs from QQ, a popular Chinese messaging app, likely used as decoys in phishing attacks.

Credential Theft and Data Exfiltration

Credentials are harvested using:

  • Mimikatz, sometimes embedded within SoundBill.
  • LSASS dumping via Project1.exe.
  • Registry searches for VNC credentials.

Extracted data is compressed and exfiltrated, enabling attackers to pivot, escalate privileges, and maintain persistence.

Persistence and Network Pivoting

UAT-7237 maintains long-term access through:

  • SoftEther VPN, with configurations in Simplified Chinese, indicating operator proficiency.
  • Stolen credentials for lateral movement.

Their VPN setup was active from September 2022 to December 2024, demonstrating extended use.

Indicators of Compromise (IOCs)

Cisco Talos has published Indicators of Compromise (IOCs) related to UAT-7237’s activities on their GitHub repository2.

Implications for Cybersecurity

The activities of UAT-7237 underscore the evolving threat landscape, particularly for critical infrastructure in Taiwan. Their use of customized open-source tools and long-term persistence tactics highlights the need for:

  • Regular patching of servers.
  • Enhanced monitoring for unusual VPN and RDP activity.
  • Proactive threat hunting to detect and mitigate APT activities.

Organizations, especially those in high-risk sectors, must adopt a multi-layered defense strategy to counter such sophisticated threats.

Conclusion

The UAT-7237 APT group represents a significant and ongoing threat to Taiwan’s web infrastructure. By leveraging customized tools, exploiting unpatched systems, and maintaining long-term persistence, they exemplify the growing sophistication of state-sponsored cyber threats. As cybersecurity professionals continue to monitor and analyze their activities, organizations must remain vigilant and proactive in defending against such advanced adversaries.

For further updates, follow Pierluigi Paganini on Twitter, Facebook, and Mastodon.

References

  1. Cisco Talos (2025). “UAT-7237 targets web hosting infrastructure in Taiwan”. Retrieved 2025-08-16. ↩︎

  2. Cisco Talos (2025). “Indicators of Compromise (IOCs)”. Retrieved 2025-08-16. ↩︎

Cybersecurity, Malware
apt cybersecurity taiwan
This post is licensed under CC BY 4.0 by the author.