The advanced persistent threat actor UAT-7237 has been actively targeting Taiwan's web infrastructure since at least 2022, utilizing customized open-source tools. This actor, recognized by Cisco Talos, is associated with UAT-5918, known for critical infrastructure attacks. Unlike UAT-5918, UAT-7237 employs a unique shellcode loader, SoundBill, to launch secondary payloads like Cobalt Strike and prefers direct RDP access along with SoftEther VPN for persistence. Their attacks exploit unpatched security flaws and involve reconnaissance to identify valuable targets.
UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP.
Collection
[
|
...
]