A Chinese-speaking advanced persistent threat (APT) actor has targeted Taiwan’s web infrastructure entities using customized open-source tooling, a campaign Cisco Talos tracks as UAT-7237. The activity, active since at least 2022, is believed to be a sub-group of UAT-5918, which has targeted Taiwan’s critical infrastructure since 2023, according to Talos.
The operation centers on a bespoke shellcode loader dubbed SoundBill, designed to decode and launch secondary payloads such as Cobalt Strike. While UAT-7237 shares some overlaps with UAT-5918, researchers note notable deviations, including the use of the SoftEther VPN client for persistence and later remote access via RDP, as well as the deployment of web shells after initial compromise to maintain access. The loader’s capabilities align with open-source tooling, including components linked to the VTHello project.
The intrusions typically begin with exploitation of known, unpatched flaws on internet-facing servers, followed by reconnaissance to determine if the target warrants further exploitation. After gaining a foothold, operators pivot across the enterprise to expand access, deploying SoundBill and using JuicyPotato and Mimikatz to escalate privileges and harvest credentials.
Researchers noted an updated variant of SoundBill that embeds a Mimikatz instance to facilitate credential dumping. The operation has also been observed using network-scanning activity such as FScan to identify open ports, and attempting to modify Windows Registry settings to disable User Account Control (UAC) and enable storage of cleartext passwords.
The campaign’s linguistic profile appears to favor Simplified Chinese in the VPN client configuration, indicating operator proficiency in the language.
Separately, Intezer disclosed a FireWood variant tied to the China-aligned threat actor Gelsemium, noting changes in the backdoor’s implementation. Intezer’s analysis is available here: Intezer threat bulletin on FireWood, with background on its earlier Linux-targeting use documented by ESET last year.