Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

APT group UAT-7237, linked to UAT-5918, targets web infrastructure in Taiwan using customized open-source tools to maintain long-term access. A Chinese-speaking advanced persistent threat (APT) group, tracked as UAT-7237, has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments. […]

China-linked APT Salt Typhoon

APT group UAT-7237, linked to UAT-5918, targets web infrastructure in Taiwan using customized open-source tools to maintain long-term access.

A Chinese-speaking advanced persistent threat (APT) group, tracked as UAT-7237, has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments.

UAT-7237 has been active since at least 2022, the researchers found significant overlaps with UAT-5918, which is an info-stealing threat actor active since 2023 and known for using web shells and open-source tools for persistence and credential theft. Talos experts believe that UAT-7237 is a subgroup of UAT-5918

“UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.” reads the report published by Talos.

“UAT-7237 aims to establish long-term persistence in high-value victim environments.”

Talos researchers observed the UAT-7237 APT group using a customized Shellcode loader tracked as “SoundBill.” SoundBill can be employed to decode and load any shellcode, including Cobalt Strike.

UAT-7237 exploits unpatched servers for initial access, then performs rapid reconnaissance using commands like nslookup, systeminfo, and ping before establishing persistence via SoftEther VPN and RDP rather than web shells.

They move through networks using SMB shares and check for domain admins and controllers. They also use built-in Windows tools like SharpWMI and WMICmd to run commands, gather system info, and prepare for further attacks.

After compromising systems, UAT-7237 deploys custom and open-source tools to maintain access and steal data. Their custom loader, SoundBill, decodes and executes shellcode from files like ptiti.txt, running payloads ranging from Mimikatz to Cobalt Strike for credential theft and long-term access. SoundBill has two built-in programs from QQ, a Chinese messaging app, likely used as decoys in phishing attacks.

They also use JuicyPotato for privilege escalation and modify Windows settings, like disabling UAC and enabling cleartext password storage.

Credentials are primarily harvested with Mimikatz, sometimes embedded in SoundBill, and through LSASS dumping (Project1.exe) or registry searches for VNC credentials. Extracted data is compressed for exfiltration, enabling attackers to pivot, escalate privileges, and maintain persistence.

The threat actor spreads in networks using tools like FScan and SMB scans to find accessible systems. They pivot using stolen credentials and maintain long-term access via SoftEther VPN, with configurations in Simplified Chinese, indicating operator proficiency. Their VPN setup was active from Sept 2022 to Dec 2024, showing extended use.

Talos published IOCs for this research on GitHub.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)