A suspected Chinese-government-backed cyber crew recently broke into a Taiwanese web hosting provider to steal credentials and plant backdoors for long-term access, using a mix of open-source and custom software tools, Cisco Talos reports.

Talos tracks the Chinese-speaking advanced persistent threat (APT) group as UAT-7237 and says that it has been active since at least 2022.

The security team estimated the active time period by analyzing a remote server hosting the SoftEther VPN client that UAT-7237 uses for persistent access. The server was created in September 2022 and last used in December 2024. The group also specified Simplified Chinese as the VPN’s preferred display language.

Talos believes that this crew is a subgroup of another Chinese APT, UAT-5918, which also targets Taiwan’s critical infrastructure and overlaps with several Beijing-backed goon squads, including Volt Typhoon and Flax Typhoon.

However, despite the overlaps, the threat hunters designate UAT-7237 as a separate group because of some distinct differences in its tactics, techniques, and procedures. 

Specifically, UAT-7237 primarily uses Cobalt Strike as its favored backdoor implant, while UAT-5918 prefers Meterpreter-based reverse shells. Post-compromise, UAT-5918 tends to deploy a ton of web shells, compared to UAT-7237, which is more selective and only deploys a few on select endpoints.

Additionally, UAT-5918 relies on web shells for backdoor access while UAT-7237 uses a combination of direct remote desktop protocol (RDP) and SoftEther VPN clients.

In a Friday report, Talos documents an intrusion during which UAT-7237 compromised an unnamed Taiwanese web hosting provider. “It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure,” Talos researchers Asheer Malhotra, Brandon White, and Vitor Ventura wrote.

The report doesn’t indicate how many other organizations UAT-7237 successfully compromised, nor does it specify other sectors this crew has targeted. 

Talos declined to answer any of The Register‘s questions about the group’s victims, size and scope of recent campaigns, and the vulnerabilities UAT-7237 exploited to gain initial access. The security shop did publish indicators of compromise for its UAT-7237 research on its GitHub repository here, so we’d suggest giving those a scan. 

More reasons to patch

According to the threat intel team, UAT-7237 gains initial access via known vulnerabilities on unpatched servers exposed to the internet. After they break in, they stealthily conduct reconnaissance to determine if the victim has anything of value and establish long-term access using the SoftEther VPN client.

Post-compromise, the group deploys both custom-built and open-source tools. Among the customized malware, UAT-7237 uses SoundBill, a shellcode loader written in Chinese and based on VTHello. 

In addition to the shellcode, SoundBill contains two embedded executables that originate from QQ, a Chinese instant messaging software. Talos says that these are likely decoy files, used in phishing attacks.

JuicyPotato, a privilege escalation tool popular with Chinese-speaking hackers, is another malware that UAT-7237 uses to execute commands on compromised endpoints. 

The attackers “on several occasions” attempted to change settings and configurations, adjust privileges to allow their malicious activity, and enable storage of cleartext passwords.

They use other methods for their credential-stealing endeavors as well, including Mimikatz, to extract credentials from the infected endpoints, and search the registry and disk. 

Talos also notes that the crew uses another “likely open-source” tool to invoke a BAT file and execute commands on the endpoints. They also deploy another executable, the ssp_dump_lsass project on GitHub, which dumps Local Security Authority Service (LSASS) memory and steals credentials. However, the JuicyPotato malware can also extract credentials via the BAT file, we’re told.

For its network-scanning activities, UAT-7237 uses FScan to search for open ports against IP subnets and SMB scans to identify SMB service information on specific endpoints.

And then, once the gang finds other accessible systems, they quickly conduct additional recon to see if they can pivot to these as well using the previously swiped credentials. ®