UAT-7237 Taiwan web infrastructure targeting campaign using customized open-source tooling
Campaign
Summary
Hide ▲
Show ▼
The UAT-7237 campaign targeted web infrastructure entities in Taiwan with customized open-source tooling to establish long-term access in high-value environments. The activity has been active since at least 2022 and shows a persistent focus on internet-exposed servers and follow-on intrusion. It matters because the operators combined initial exploitation, Cobalt Strike staging, and persistence methods such as SoftEther VPN and RDP to stay inside victim networks.
Related Happenings
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Campaign
First: 17.12.2025 20:45
Last: 17.12.2025 20:45
Sources 1
About this happening:
The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
CampaignAbout this happening: The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...
PlushDaemon global espionage campaign
Campaign
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
About this happening:
**PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
PlushDaemon global espionage campaign
CampaignAbout this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
China-linked persistent-access campaign against U.S. policy-linked entities
Campaign
First: 07.11.2025 18:07
Last: 07.11.2025 18:07
Sources 1
About this happening:
**China-linked** operators maintained **weeks-long access** to a **U.S. non-profit** and used that foothold to pursue **long-term persistence**, making the activity significant fo...
China-linked persistent-access campaign against U.S. policy-linked entities
CampaignAbout this happening: **China-linked** operators maintained **weeks-long access** to a **U.S. non-profit** and used that foothold to pursue **long-term persistence**, making the activity significant fo...
PassiveNeuron multi-region espionage campaign
Campaign
First: 22.10.2025 11:58
Last: 22.10.2025 11:58
Sources 1
About this happening:
**PassiveNeuron** is an **active cyber espionage campaign** targeting **government, financial, and industrial organizations** across **Asia, Africa, and Latin America**, with a fr...
PassiveNeuron multi-region espionage campaign
CampaignAbout this happening: **PassiveNeuron** is an **active cyber espionage campaign** targeting **government, financial, and industrial organizations** across **Asia, Africa, and Latin America**, with a fr...
Timeline
-
15.08.2025 19:20 1 articles · 9mo ago
UAT-7237 campaign targets Taiwan web infrastructure with customized open-source tooling
Initial DisclosureCisco Talos attributed UAT-7237 to a Chinese-speaking advanced persistent threat activity cluster targeting web infrastructure entities in Taiwan, noting that the group has been active since at least 2022 and is assessed as a sub-group of UAT-5918. The observed intrusion chain begins with exploitation of known security flaws on unpatched internet-exposed servers, followed by reconnaissance and fingerprinting, then persistence and follow-on access using customized open-source tooling, SoundBill to decode and launch Cobalt Strike, SoftEther VPN and RDP, plus JuicyPotato, Mimikatz, FScan, and registry changes intended to disable User Account Control (UAC) and store cleartext passwords.
Show sources
- Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools — thehackernews.com — 15.08.2025 19:20