A recent report from Cisco Talos exposes a cyber intrusion by a suspected Chinese-government-backed hacking collective, tracked as UAT-7237, into a Taiwanese web hosting provider. The attackers aimed to steal credentials and implant backdoors, enabling persistent and covert access to sensitive infrastructure.
The outfit has been active at least since 2022, based on forensic analysis of a remote server hosting SoftEther VPN—a favored tool for maintaining their foothold. The chosen VPN's configuration indicated a preference for Simplified Chinese, hinting at the attackers' origins.
Talos researchers believe UAT-7237 is a subgroup of the broader Chinese APT UAT-5918, which is notorious for targeting Taiwan's critical infrastructure and overlapping with other Chinese cyber gangs like Volt Typhoon and Flax Typhoon. Despite similarities, Talos distinguishes UAT-7237 by its unique operational tools and strategies.
UAT-7237 predominantly deploys Cobalt Strike as its main backdoor implant, while UAT-5918 leans on Meterpreter-based reverse shells and a greater number of web shells for remote access. UAT-7237, in contrast, uses a selective approach, deploying fewer web shells and leveraging direct remote desktop protocol (RDP) access and SoftEther VPN clients.
The report highlights that UAT-7237 exploits unpatched vulnerabilities on internet-facing servers for initial access. Once inside, the crew conducts quiet reconnaissance, seeking out valuable assets and setting up prolonged access. Their toolset blends custom and open-source software; notably, the SoundBill shellcode loader (based on VTHello, featuring decoy files from Chinese IM software QQ) is used for malware deployment.
For privilege escalation, UAT-7237 employs JuicyPotato, a tool favored by Chinese-speaking hackers, while credential stealing is achieved through multiple methods—Mimikatz for extracting credentials, registry and disk searches, and further exploitation with BAT files. The ssp_dump_lsass project, found on GitHub, is also used to dump LSASS memory and steal credentials.
Network scanning is performed using FScan, allowing the group to map open ports on IP subnets and gather information about SMB services on target endpoints. Attackers then use stolen credentials to pivot laterally within the victim’s network, seeking further targets of interest.
Although Talos has not revealed the full scope of UAT-7237’s campaign or disclosed the vulnerabilities exploited, the findings underscore the importance of patching exposed systems and maintaining vigilant security practices. The published indicators of compromise serve as practical tools for organizations facing similar threats.
