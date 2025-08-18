A Chinese-speaking advanced persistent threat (APT) group, UAT-7237, linked to UAT-5918, has been targeting web infrastructure entities in Taiwan using customized open-source tools to establish long-term access within high-value victim environments, as reported by Cisco Talos experts, with further coverage provided by Security Affairs. UAT-7237, believed to be a subgroup of UAT-5918, employs a customized shellcode loader named "SoundBill" to decode and execute shellcode, including Cobalt Strike, for credential theft and maintaining access. The group exploits unpatched servers for initial access, conducts reconnaissance using commands like nslookup and systeminfo, and establishes persistence via SoftEther VPN and RDP. They utilize tools like JuicyPotato for privilege escalation and Mimikatz for credential harvesting, maintaining a presence through custom and open-source tools. The activities of UAT-7237 highlight the evolving threat landscape faced by web infrastructure entities, emphasizing the need for robust cybersecurity measures. The use of customized tools and evasion techniques by this APT group underscores the importance of continuous monitoring and patch management to mitigate such threats. Source: Security Affairs
