Ethical Hacking News
APT group UAT-7237 targets web infrastructure in Taiwan using customized open-source tools, with aims of establishing long-term access within high-value victim environments. The threat actor's sophisticated tactics include exploiting unpatched servers, rapid reconnaissance, and persistence via SoftEther VPN and RDP, making it essential for organizations to stay vigilant and develop proactive security measures.
Taiwan's web infrastructure has been targeted by APT group UAT-7237 since at least 2022. UAT-7237 uses customized open-source tools to evade detection and conduct malicious activities within compromised enterprise environments. The threat actor is believed to be a subgroup of UAT-5918, indicating high sophistication and coordination among the two groups. UAT-7237 exploits unpatched servers for initial access, followed by rapid reconnaissance and establishment of persistence via SoftEther VPN and RDP. The threat actor employs social engineering tactics to move through networks, including SMB shares and checks for domain admins and controllers. UAT-7237 deploys custom tools to maintain access and steal data, using Mimikatz for credential theft and Cobalt Strike for long-term access. The threat actor spreads its influence within networks using tools like FScan and SMB scans to find accessible systems. Talos researchers have published IOCs for this research on GitHub to help cybersecurity professionals stay ahead of UAT-7237.
Taiwan's web infrastructure has been targeted by a highly sophisticated and persistent threat actor, identified as Advanced Persistent Threat (APT) group UAT-7237. This sophisticated attack has left cybersecurity experts scrambling to comprehend the scope of the breach and the capabilities of this threat actor.
According to recent research published by Talos experts, APT UAT-7237 has been actively targeting web infrastructure entities in Taiwan since at least 2022. The threat group relies heavily on customized open-source tools, tailored to evade detection and conduct malicious activities within compromised enterprise environments.
The research reveals that UAT-7237 has significant overlaps with another info-stealing threat actor, UAT-5918, which has been active since 2023. It is believed that UAT-7237 is a subgroup of UAT-5918, indicating a high level of sophistication and coordination among the two groups.
The tactics, techniques, and procedures (TTPs) employed by UAT-7237 are equally impressive. The threat actor exploits unpatched servers for initial access, followed by rapid reconnaissance using commands like nslookup, systeminfo, and ping. This is quickly followed by the establishment of persistence via SoftEther VPN and RDP, rather than web shells.
UAT-7237 also employs a range of social engineering tactics to move through networks, including the use of SMB shares and checks for domain admins and controllers. Built-in Windows tools like SharpWMI and WMICmd are used to run commands, gather system information, and prepare for further attacks.
Once inside the network, UAT-7237 deploys custom and open-source tools to maintain access and steal data. The threat actor's custom loader, SoundBill, decodes and executes shellcode from files like ptiti.txt, running payloads ranging from Mimikatz to Cobalt Strike for credential theft and long-term access.
SoundBill has two built-in programs from QQ, a Chinese messaging app, likely used as decoys in phishing attacks. UAT-7237 also uses JuicyPotato for privilege escalation and modifies Windows settings, like disabling UAC and enabling clear-text password storage.
Credentials are primarily harvested with Mimikatz, sometimes embedded in SoundBill, and through LSASS dumping (Project1.exe) or registry searches for VNC credentials. Extracted data is compressed for exfiltration, allowing attackers to pivot, escalate privileges, and maintain persistence.
The threat actor spreads its influence within networks using tools like FScan and SMB scans to find accessible systems. Pivoting is accomplished using stolen credentials, with the threat actor maintaining long-term access via SoftEther VPN, with configurations in Simplified Chinese, indicating operator proficiency. The VPN setup was active from September 2022 to December 2024, showcasing extended use.
The Talos researchers have published IOCs for this research on GitHub, providing a valuable resource for cybersecurity professionals seeking to stay ahead of this threat actor.
In conclusion, the sophisticated tactics and techniques employed by APT UAT-7237 pose a significant challenge to organizations protecting their web infrastructure. By understanding the TTPs and capabilities of this threat actor, cybersecurity professionals can develop effective strategies to detect and prevent future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Taiwan-Web-Infrastructure-Targeted-by-APT-UAT-7237-Unveiling-the-Sophisticated-Threat-Actor-Behind-the-Scenes-ehn.shtml
https://securityaffairs.com/181195/apt/taiwan-web-infrastructure-targeted-by-apt-uat-7237-with-custom-toolset.html
https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/
https://thehackernews.com/2025/08/taiwan-web-servers-breached-by-uat-7237.html
Published: Sat Aug 16 03:02:15 2025 by llama3.2 3B Q4_K_M
