Researchers uncovered a sophisticated intrusion by UAT-7237, a Chinese-speaking APT group active since at least 2022 and likely a subgroup of UAT-5918. The group recently compromised a Taiwanese web hosting provider, targeting its VPN and cloud infrastructure. Unlike its parent group, UAT-7237 selectively deploys web shells and prefers SoftEther VPN and RDP for backdoor access. Its operations are focused on long-term persistence, leveraging customized open-source tools, stealthy reconnaissance, credential extraction, and lateral movement to maintain access and control over the targeted enterprise environment.
UAT-7237’s campaign includes several distinct techniques, such as the deployment of a custom shellcode loader called SoundBill, capable of executing Cobalt Strike payloads or embedded Mimikatz modules. The group exploits known vulnerabilities in public-facing servers to gain access, uses LOLBins and tools like SharpWMI and WMICmd for reconnaissance and lateral movement, and employs JuicyPotato for privilege escalation. Configuration changes to Windows registry settings further entrench their access, while credential harvesting extends to LSASS dumping and VNC configuration discovery.