A Chinese-speaking advanced persistent threat (APT) group has been identified targeting organizations managing web infrastructure in Taiwan, using modified versions of publicly available tools to secure prolonged access to high-value networks.
Researchers at Cisco Talos attribute the activity to a group they label UAT-7237, active since at least 2022, and likely a sub-unit of UAT-5918, which has been attacking Taiwan’s critical infrastructure since 2023.
According to Talos, UAT-7237’s latest campaign involved intrusions into Taiwanese web infrastructure, relying heavily on slightly altered open-source utilities to evade detection and carry out malicious operations.
One key component in these attacks is SoundBill, a custom shellcode loader designed to decode and execute follow-up payloads like Cobalt Strike. While there are operational similarities with UAT-5918, UAT-7237 differs in several ways: it prioritizes Cobalt Strike as its main backdoor, selectively installs web shells, and uses Remote Desktop Protocol (RDP) and SoftEther VPN for persistent access.
The attack chain usually starts with exploiting vulnerabilities in unpatched internet-facing servers, followed by reconnaissance to determine whether a target is worth further exploitation. Unlike UAT-5918, which typically deploys web shells immediately, UAT-7237 instead uses SoftEther VPN—similar to tactics seen from Flax Typhoon—to maintain a foothold, later connecting via RDP.
Once inside, the attackers move laterally, deploying SoundBill to run Cobalt Strike, as well as tools like JuicyPotato for privilege escalation and Mimikatz for credential theft. More recent variants of SoundBill even embed Mimikatz directly.
The group has also used FScan to map open ports across IP ranges and has attempted Windows Registry modifications to disable User Account Control (UAC) and enable plaintext password storage. Configuration files from their VPN client reveal Simplified Chinese as the preferred language, pointing to Chinese-language proficiency.
This disclosure coincides with Intezer’s report of a new variant of the FireWood backdoor, linked with low confidence to the China-aligned Gelsemium group. Originally documented by ESET in November 2024, FireWood can use a rootkit module (usbdev.ko) to conceal processes and run attacker-supplied commands. The latest variant retains its core features but shows changes in configuration and implementation, though it’s unclear if the rootkit module was also updated.