A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments.
The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237, which is believed to be active since at least 2022. The hacking group is assessed to be a sub-group of UAT-5918, which is known to be attacking critical infrastructure entities in Taiwan as far back as 2023.
“UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise,” Talos said.
The attacks are characterized by the use of a bespoke shellcode loader dubbed SoundBill that’s designed to decode and launch secondary payloads, such as Cobalt Strike.
Despite the tactical overlaps with UAT-5918, UAT-7237’s tradecraft exhibits notable deviations, including its reliance on Cobalt Strike as a primary backdoor, the selective deployment of web shells after initial compromise, and the incorporation of direct remote desktop protocol (RDP) access and SoftEther VPN clients for persistent access.
The attack chains begin with the exploitation of known security flaws against unpatched servers exposed to the internet, followed by conducting initial reconnaissance and fingerprinting to determine if the target is of interest to the threat actors for follow-on exploitation.
“While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP,” researchers Asheer Malhotra, Brandon White, and Vitor Ventura said.
Once this step is successful, the attacker pivots to other systems across the enterprise to expand their reach and carry out further activities, including the deployment of SoundBill, a shellcode loader based on VTHello, for launching Cobalt Strike.
Also deployed on compromised hosts is JuicyPotato, a privilege escalation tool widely used by various Chinese hacking groups, and Mimikatz to extract credentials. In an interesting twist, subsequent attacks have leveraged an updated version of SoundBill that embeds a Mimikatz instance into it in order to achieve the same goals.
Besides using FScan to identify open ports against IP subnets, UAT-7237 has been observed attempting to make Windows Registry changes to disable User Account Control (UAC) and turn on storage of cleartext passwords.
“UAT-7237 specified Simplified Chinese as the preferred display language in their [SoftEther] VPN client’s language configuration file, indicating that the operators were proficient with the language,” Talos noted.
The disclosure comes as Intezer said it discovered a new variant of a known backdoor called FireWood that’s associated with a China-aligned threat actor called Gelsemium, albeit with low confidence.
FireWood was first documented by ESET in November 2024, detailing its ability to leverage a kernel driver rootkit module called usbdev.ko to hide processes, and run various commands sent by an attacker-controlled server.
“The core functionality of the backdoor remains the same but we did notice some changes in the implementation and the configuration of the backdoor,” Intezer researcher Nicole Fishbein said. “It is unclear if the kernel module was also updated as we were not able to collect it.”
