Inside UAT-7237, a Chinese APT Group Targeting Taiwan

Cisco Talos has published a detailed report exposing a newly designated threat group, UAT-7237, a Chinese-speaking advanced persistent threat (APT) that has been active since at least 2022. According to the researchers, “UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.”

Talos notes that UAT-7237 shares significant overlap with the previously identified group UAT-5918, suggesting that they may operate under the same umbrella of threat actors. “Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237’s tooling, victimology and dates of activity overlap significantly with UAT-5918.”

Despite these overlaps, Talos emphasizes distinct differences in tactics, techniques, and procedures (TTPs). For example, while UAT-5918 deploys a large number of web shells, UAT-7237 is more selective, instead relying on direct Remote Desktop Protocol (RDP) access and SoftEther VPN clients to maintain persistence.

In one high-profile case, Talos reports that “UAT-7237 compromised, infiltrated and established long-term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure.”

The group exploits unpatched internet-facing servers to gain entry, followed by reconnaissance activities using common Windows commands (systeminfo, ipconfig /all, ping, and nslookup). Once inside, UAT-7237 deploys customized tools to strengthen their foothold, pivot laterally, and extract valuable credentials.

One of the group’s most notable tools is SoundBill, described as a customized shellcode loader. As Cisco Talos explains, “SoundBill is built based on ‘VTHello’ and is a shellcode loader written in Chinese that will decode a file on disk named ‘ptiti.txt’ and execute the resulting shellcode.” This payload may include Cobalt Strike, credential extraction modules, or even Mimikatz for password theft.

Talos observed that the loader also embeds executables from QQ, a popular Chinese instant messaging platform, likely as decoys in spear-phishing campaigns.

The group’s reliance on SoftEther VPN is another distinctive trait. Talos uncovered that the VPN server used by UAT-7237 had been active from September 2022 through December 2024. Notably, “UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.”

This method allows the group to establish long-term persistence and makes their operations more difficult to detect compared to traditional web shell deployments.

UAT-7237 represents the latest example of Chinese-speaking APTs adapting open-source tools for stealth, persistence, and efficiency. With Taiwan’s web infrastructure providers now firmly in their crosshairs, the group poses a significant threat to organizations in the region.

Cisco Talos concludes that “UAT-7237 aims to establish long-term persistence in high-value victim environments.”

Related Posts:

• The Billion-Dollar Smishing Empire: How Chinese Syndicates Are Hacking Apple & Google Wallets
• Reasons to Hire Custom Software Development Service
• Trust Betrayed: 55% of Insider Attacks Use Privilege Escalation
• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts