Beyond the Firewall: Inside UAT-7237, a Chinese APT Group Targeting Taiwan
The China-linked group UAT-7237 has become the subject of a new report from Cisco Talos. According to researchers, this team has been active since 2022, specializing in long-term persistence within victim infrastructure. In one documented case, the attackers infiltrated the network of a Taiwanese hosting provider, prioritizing access to the company’s VPN and cloud services. To achieve this, the hackers combined publicly available tools with their own custom developments.
An analysis of the servers used in the campaign revealed that persistent access was maintained through the SoftEther VPN client, configured with simplified Chinese as the default language—an indicator that reinforced the hypothesis of the group’s origins. Talos links UAT-7237 to another well-known Chinese APT collective, UAT-5918, which likewise targets Taiwan’s critical infrastructure and bears resemblance to Volt Typhoon and Flax Typhoon. Nonetheless, the researchers distinguish UAT-7237 as a separate entity due to its tactical divergences: this group favors the deployment of Cobalt Strike and a limited number of web shells, whereas UAT-5918 relies heavily on Meterpreter and the mass distribution of web backdoors.
For initial intrusion, UAT-7237 exploits vulnerabilities in unpatched public-facing services. Once inside, the attackers conduct reconnaissance before installing SoftEther VPN to ensure stealthy, long-term presence. In addition to Cobalt Strike, they employ other tools: a custom loader called SoundBill, written in Chinese and based on VTHello, which embeds two executables from the Chinese messenger QQ—likely used as decoys in phishing campaigns. The group also leverages JuicyPotato for privilege escalation and command execution.
To steal credentials, the attackers deploy Mimikatz, analyze the Windows registry and disk contents, and in some cases attempt to alter system policies and user rights to store passwords in plaintext. For interaction with LSASS, they utilize the GitHub project ssp_dump_lsass, enabling them to extract credentials directly from process memory. Additional mechanisms included BAT scripts launched via third-party utilities.
Network reconnaissance was carried out using FScan, which scans open ports across subnets and gathers information on SMB services. Once access to new systems was obtained, the attackers rapidly performed secondary reconnaissance and attempted lateral movement using previously stolen credentials.
Talos researchers did not disclose how many organizations were compromised or which specific industries were targeted. However, published Indicators of Compromise (IOCs) are already available in the project’s official GitHub repository, providing administrators with resources to check their systems for traces of intrusion. A critical takeaway from the report is the emphasis that even well-known vulnerabilities—if left unpatched—remain a gateway for attacks of this sophistication.
