A newly identified Chinese Advanced Persistent Threat (APT) group is systematically targeting web hosting firms in Taiwan, seeking to establish a long-term foothold for espionage and data theft. According to a recent report from Cisco Talos, the threat actor, tracked as UAT-7237, has successfully compromised at least one Taiwanese web hosting provider, demonstrating a clear focus on gaining access to high-value targets.
The attacks, which are part of a broader escalation of cyber intrusions against critical infrastructure in Taiwan, exploit known vulnerabilities on unpatched, internet-facing servers to gain initial access. Once inside the network, UAT-7237 deviates from the tactics of related Chinese groups by leveraging legitimate software, such as the SoftEther VPN client, to maintain a persistent presence. This method allows the attackers to evade detection and conduct malicious activities over extended periods, with researchers finding evidence that the group has been using this approach for more than two years.
UAT-7237’s primary objective is to acquire access to its victims’ VPN and cloud infrastructure. The group employs a mix of open-source and custom-built tools to carry out its operations. Noteworthy among its arsenal is a bespoke shellcode loader named “SoundBill,” which is written in Chinese and can deploy payloads like Cobalt Strike for information-stealing operations. The attackers also use credential-harvesting tools like Mimikatz and privilege escalation tools such as JuicyPotato to move laterally within the compromised network.
While UAT-7237 is believed to be a subgroup of the larger Chinese-speaking APT UAT-5918, its distinct tactics and focus on web infrastructure suggest it is a separate and highly specialized cluster. The targeting of web hosting companies is particularly strategic as it provides a gateway to a multitude of clients, allowing the group to pivot from one compromised entity to others with relative ease. This latest report underscores the persistent and evolving cyber threat landscape in Taiwan, where state-backed hackers from China are increasingly seen as a primary source of attacks for both intelligence gathering and potential disruption of services.
