U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

UAT-5918 ATP group targets critical Taiwan

Cisco Talos found UAT-5918, active since 2023, using web shells and open-source tools for persistence, info theft, and credential harvesting. Cisco Talos uncovered UAT-5918, an info-stealing threat actor active since 2023, using web shells and open-source tools for persistence and credential theft. The APT UAT-5918 targets Taiwan, exploiting N-day vulnerabilities in unpatched servers for long-term […]

UAT-5918

Cisco Talos found UAT-5918, active since 2023, using web shells and open-source tools for persistence, info theft, and credential harvesting.

Cisco Talos uncovered UAT-5918, an info-stealing threat actor active since 2023, using web shells and open-source tools for persistence and credential theft.

The APT UAT-5918 targets Taiwan, exploiting N-day vulnerabilities in unpatched servers for long-term access. The group manually conducts post-compromise activities, using open-source tools for reconnaissance, credential theft, and persistence. They deploy web shells across subdomains, create admin accounts, and leverage tools like Mimikatz, Fast Reverse Proxy (FRP), and Impacket for lateral movement via RDP and PowerShell remoting, ensuring multiple entry points into victim networks.

The researchers linked the group to China due to TTPs overlap with multiple Chinese APT group.

“UAT-5918’s tooling and TTPs overlap substantially with several APT groups including Volt TyphoonFlax Typhoon and Dalbit.” reads the report published by Talos. “There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frpEarthworm, and Impacket for establishing control channels; and the absence of custom-made malware.”

UAT-5918 shares tooling and tactics with Chinese APT groups Tropic Trooper, Earth Estries, and Dalbit, using tools like FRP, FScan, Impacket, and web shells. The researchers observed overlaps that include Crowdoor Loader and SparrowDoor malware. However, UAT-5918 also employs unique tools like LaZagne, SNetCracker, and PortBrute, which haven’t been publicly linked to other groups, suggesting either exclusive use or undisclosed associations.

The threat actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels to maintain access to compromised endpoints via attacker controlled remote hosts. The researchers noticed that tools are usually downloaded as archives and extracted before execution.

UAT-5918 mainly targets Taiwan’s telecom, healthcare, IT, and critical infrastructure sectors.

UAT-5918 maintains persistent access by deploying ASP and PHP web shells deep in system directories and using JuicyPotato for privilege escalation. They create backdoored admin accounts and steal credentials via Mimikatz, LaZagne, and registry dumps. The group pivots within networks using RDP, Impacket, and brute-force tools like SNETCracker. They stage and exfiltrate data, including confidential files and database backups, using SQLCMD. Their tactics ensure long-term access for data theft across compromised enterprises.

Talos researchers published Indicators of Compromise (IOCs) on their GitHub repository

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UAT-5918)