UAT-5918 targets critical infrastructure entities in Taiwan By Jungsoo An Published: 2025-03-20 · Archived: 2026-04-05 15:39:03 UTC Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023.  UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.  We assess that UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past. UAT-5918’s activity cluster Overview  Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise.  The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918's intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor. Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket.  UAT-5918 activity cluster overlapping  UAT-5918's tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit.  https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 1 of 12 Figure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups. There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure.  Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company. Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 2 of 12 (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs. It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures.  Victimology and targeted verticals  UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors.  We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit.  Initial access and reconnaissance  UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 3 of 12 reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include:  ping net user systeminfo arp –a route print tasklist tasklist -v netstat -ano whoami ipconfig query user cmd /c dir c:\users\\Desktop cmd /c dir c:\users\\Documents cmd /c dir c:\users\\Downloads  Initial credential reconnaissance is carried out using the cmdkey command:  cmdkey /list The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk:  powershell.exe -exec bypass Add-MpPreference -ExclusionPath powershell Get-MpPreference Post-compromise tooling  UAT-5918's post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters. Reverse proxies and tunnels  The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution: https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 4 of 12 The Earthworm (ew) tool for establishing proxies is also run:  Port scanning  FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers: Talos has observed the actor scanning of these ports in particular:  https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 5 of 12 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211 The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor's use is:  Run[.]exe -h /24 -nopoc -pwdf pw[.]txt -p 1521,6379 -t 4 In-Swor was used to scan for the following ports across IP address ranges:  22 SSH 80 HTTP 135 RPC 445 SMB 1433 SQL server 1521 Oracle DBs 3306 MySQL 3389 RDP 4194 Kubernetes? 5432 PostgreSQL 5900 VNC 6379 Redis 10248 ? 10250 Kubernetes 10255 MongoDB In other instances, In-Swor was used to establish proxy channels: svchost[.]exe proxy -l *:22 -k 9999 svchost[.]exe proxy -l *:443 -k 9999 svchost[.]exe proxy -hc -l *:443 -k 99997654 svchost[.]exe -hc proxy -l *:443 -k 99997654 svchost[.]exe proxy -l 443 –v svchost[.]exe -type server -proto tcp -listen :443 svchost[.]exe -type server -proto http -listen :443 svchost[.]exe -type server -proto rhttp -listen :443 In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used: PortBruteWin(5).exe -up : https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 6 of 12 Additional network reconnaissance  The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft's CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to:  C:\Users\\Desktop\cports-x64/cports.exe C:\Users\\Desktop\TCPView\tcpview64.exe The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them: powershell[.]exe -file C:\ProgramData\smblogin-extra-mini.ps1 Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool: netspy[.]exe -h Gathering local system information  The attackers may also gather commands to profile the endpoint and its drives: wmic diskdrive get partitions /value fsutil fsinfo drives wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value Maintaining persistent access to victims  The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc.  The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute: https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 7 of 12 JuicyPotato is then run to spawn cmd[.]exe to run a reverse shell that allows the threat actor to run arbitrary commands:  Run.exe -t t -p c:\windows\system32\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network: pscp[.]exe @:/var/www/html/ Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts: C:\ProgramData\bind.exe C:\ProgramData\microbind.exe C:\ProgramData\reverse.exe cmd /c C:/ProgramData/microbind.exe Backdoored user account creation  UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints:  net user /add net localgroup administrators /add net group domain admins /add /domain Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers:  Mimikatz: A commonly used credential extractor tool is run to obtain credentials from the endpoint: https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 8 of 12 LaZagne: LaZagne is an open-sourced credential extractor:  C:/ProgramData/LaZagne.exe C:/ProgramData/LaZagne.exe -all >> laz.txt Registry dumps: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives: Google Chrome information: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad[.]exe:  BrowserDataLite_x64.exe C:\Windows\system32\NOTEPAD.EXE Chrome_LoginPass.txt C:\Windows\system32\NOTEPAD.EXE Chrome_Cookies.txt C:\Windows\system32\NOTEPAD.EXE Chrome_History.txt https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/ Page 9 of 12 SNETCracker: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.:  Finding strings related to credentials such as:  findstr /s /i /n /d:C:\ password *.conf Pivoting to additional endpoints  UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket:  mstsc.exe -v Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools:  python wmiexec[.]py Administrator:@ -codec big5 1> [\][\]127[.]0[.]0[.]1\ADMIN$\__