A newly identified Chinese advanced persistent threat (APT) group is targeting web infrastructure providers in Taiwan, with a focus on long-term access and data theft, according to Cisco Talos.
The report comes amid escalating cyber intrusions against critical infrastructure in Taiwan by China, with geopolitical tensions around the island territory’s self-governing status increasing.
The threat actor, tracked as UAT-7237, successfully compromised a Taiwanese web hosting provider, according to Cisco Talos’ researchers. The group showed a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure.
It conducted a range of malicious activities in the compromised environment, including reconnaissance, credential extraction and setting up backdoored access.
The group primarily utilizes open-sourced tools, including a customized Shellcode loader tracked as ‘SoundBill’.
Active since 2022, UAT-7237 is likely a subgroup of UAT-5918, according to the researchers. UAT-5918 is a Chinese-speaking threat actor previously observed conducting espionage operations against organizations in Taiwan.
While it may be a subgroup, UAT-7237 is assessed with high confidence to be a distinct Chinese APT group due to significant deviations in tactics, techniques and procedures (TTPs) compared to UAT-5918.
TTPs include its use of Cobalt Strike as its staple backdoor implant and highly selective deployment of web shells on compromised endpoints.
Distinct Post Compromise Activities
The Cisco report, published on August 15, noted that like other Chinese APT groups, UAT-7237 exploits known vulnerabilities on unpatched servers exposed to the internet for initial access.
While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client to achieve persistence and later access the systems via remote desktop protocol (RDP).
In the compromised web hosting provider, the researchers found indications that the group has been using SoftEther over a two-year period.
UAT-7237 deploys open-source tooling, often customized, to evade detection and conduct malicious activities within the compromised enterprise.
This includes Windows Management Instrumentation (WMI)-based tooling such as SharpWMI and WMICmd for arbitrary command and code executions.
One of the most notable custom-built tools used by UAT-7237 is known as SoundBill, a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.
The two embedded executables in SoundBill originate from QQ, a Chinese instant messaging software.
SoundBill is compatible with loading any shellcode, including Cobalt Strike, which the group uses to establish long-term access for information stealing.
UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints.
The actor deploys credential extracting tooling, predominantly Mimikatz, to steal credentials from infected endpoints.
Network scanning tools such as Fscan are used to identify open ports against IP subnets. As soon as accessible systems are found, UAT-7237 conducts additional recon to pivot to them using credentials the group has previously extracted, enabling lateral movement in the victim organization.
Chinese Attacks on Taiwan Infrastructure Escalate
Threat researchers have observed escalating Chinese cyber-attacks against Taiwan for espionage purposes as well as preparing the capability to disrupt critical services on the island.
In January 2025, Taiwan’s National Security Bureau (NSB) reported a significant rise in cyber-attacks targeting critical infrastructure in the region in 2024, such as telecoms, transportation and government networks, most of which were attributed to Chinese state-backed hackers.
The NSB warned Taiwanese citizens that Chinese-made apps widely used in the population pose significant cybersecurity risks, including sending personal data to servers in China.
A 2024 report by ESET identified that Chinese APT group Evasive Panda was using a sophisticated toolset named CloudScout to extract cloud-based data from Taiwanese organizations.