Typhoon-adjacent Chinese crew broke into Taiwanese web host

Threat Score:
80
3 articles
100.0% similarity
6 hours ago

Article Timeline

3 articles
Click to navigate
Aug 15
Aug 15
Aug 15
Oldest
Latest
Typhoon-adjacent Chinese crew broke into Taiwanese web host

Key Insights

1
UAT-7237, a Chinese-speaking advanced persistent threat group, has been actively targeting Taiwanese web infrastructure since at least 2022, utilizing customized open-source tools for intrusions.
2
The group has a particular focus on gaining access to VPN and cloud infrastructure, as evidenced by the configuration of their SoftEther VPN client, which specifies Simplified Chinese as the preferred language, indicating proficiency in the language.
3
Cisco Talos reports that UAT-7237 employs a bespoke shellcode loader named SoundBill to decode and launch secondary payloads, including Cobalt Strike, which serves as their primary backdoor implant.
4
The group exploits known vulnerabilities on unpatched servers, with the attack chain typically beginning with the exploitation of public-facing applications, leading to full system compromise.
5
UAT-7237 operates as a subgroup of UAT-5918, which has been linked to attacks on critical infrastructure in Taiwan, but shows distinct differences in their tactics, such as selective deployment of web shells post-compromise.
6
The activity from UAT-7237 has raised alarms due to its sophisticated methods and long-term access strategies, prompting security teams to enhance their monitoring and defensive measures.

Threat Overview

A Chinese-speaking advanced persistent threat (APT) group known as UAT-7237 has been identified as targeting Taiwanese web infrastructure using a combination of customized open-source tools. According to a report by Cisco Talos, UAT-7237 has been active since at least 2022 and is believed to be a subgroup of another APT, UAT-5918, which has targeted critical infrastructure in Taiwan as early as 2023. The group has shown a particular interest in accessing VPN and cloud infrastructures, as indicated by their configuration of the SoftEther VPN client, which specifies Simplified Chinese as the preferred display language.

The attacks executed by UAT-7237 are characterized by the use of a bespoke shellcode loader named SoundBill. This loader is designed to decode and launch secondary payloads, including Cobalt Strike, which has been identified as their primary backdoor implant. The exploitation process typically begins with attacks on unpatched servers, utilizing known vulnerabilities in public-facing applications. Talos noted that 'the core functionality of the backdoor remains the same but we did notice some changes in the implementation and the configuration of the backdoor.'

Notably, UAT-7237’s tactics exhibit differences from UAT-5918, particularly in their selective deployment of web shells post-compromise. This group is more focused on achieving long-term access rather than deploying numerous web shells across various endpoints. Cisco Talos remarked that UAT-7237 relies heavily on open-source tooling that has been customized to evade detection while conducting malicious activities within compromised environments. 'UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan,' the report stated.

In response to the ongoing threat posed by UAT-7237, security teams are enhancing their monitoring capabilities. Vendors are advised to ensure that all systems are patched and updated to mitigate potential vulnerabilities. Expert analysis indicates that organizations should review their firewall configurations and access controls to guard against unauthorized entry through exploited VPNs and cloud services. As UAT-7237 continues to evolve, the importance of proactive security measures cannot be overstated. Security teams are urged to remain vigilant and adapt their defenses in light of these sophisticated threat actors.

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - UAT-7237 exploits known vulnerabilities on unpatched servers to gain initial access [1][2]
T1105
Ingress Tool Transfer - The group uses customized tools like SoundBill to deliver secondary payloads [1][3]
T1059.001
Command and Scripting Interpreter - Cobalt Strike is employed as the primary backdoor implant [2][3]
T1555.002
Credentials from Password Stores - UAT-7237 targets VPN and cloud infrastructure for credential theft [2][3]
T1071.001
Application Layer Protocol: Web Protocols - The group utilizes SoftEther VPN for persistence [1][2]
T1021.001
Remote Services: RDP - Direct RDP access is incorporated for maintaining access [1][3]
T1110.001
Brute Force: Password Spraying - Exploitation of weak passwords on public-facing applications [2][3]

Timeline of Events

2022-09
UAT-7237 establishes a remote server hosting SoftEther VPN client, marking the beginning of their activity [2]
2025-08-01
Cisco Talos detects unusual activity linked to UAT-7237 targeting Taiwanese web infrastructure [1]
2025-08-15
Cisco Talos publishes a detailed report on UAT-7237, highlighting their tactics and tools used [1][3]

Source Citations

expert_quotes: {'Cisco Talos': 'Articles 1, 2, 3'}
primary_findings: {'UAT-7237 activity report': 'Articles 1, 2, 3', 'Exploitation methods and tools': 'Articles 1, 2', 'Tactics comparison with UAT-5918': 'Articles 1, 2, 3'}
technical_details: {'Persistence techniques': 'Articles 1, 2', 'Attack methods and tools': 'Articles 1, 2, 3'}
Powered by ThreatCluster AI
Generated 1 hour ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

3 articles
1
Typhoon-adjacent Chinese crew broke into Taiwanese web host

Typhoon-adjacent Chinese crew broke into Taiwanese web host

The Register Security 2 hours ago

Cyber-crime Typhoon-adjacent Chinese crew broke into Taiwanese web host Is that a JuicyPotato on your network? A suspected Chinese-government-backed cyber crew recently broke into a Taiwanese web hosting provider to steal credentials and plant backdoors for long-term access, using a mix of open-source and custom software tools, Cisco Talos reports. Talos tracks the Chinese-speaking advanced persistent threat (APT) group as UAT-7237 and says that it has been active since at least 2022. The securi

Score
79
100.0% similarity
Read more
2

Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools

The Hacker News 8 hours ago

A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments. The activity has been attributed by Cisco Talos to an activity cluster it tracks asUAT-7237, which is believed to be active since at least 2022. The hacking group is assessed to be a sub-group ofUAT-5918, which is known to be attacking critical in

Score
74
96.0% similarity
Read more