A Chinese-speaking APT group, tracked as UAT-7237, is actively targeting Taiwanβs web infrastructure using customized open-source tools and sophisticated persistence techniques. Their attacks involve exploiting vulnerabilities, deploying web shells, and using remote access tools like RDP and SoftEther VPN to maintain long-term access. #UAT-7237 #SoundBill #CobaltStrike #Gelsemium #FireWood
Keypoints
- The threat actor UAT-7237 targets Taiwanese web infrastructure with customized open-source tools.
- Attacks include exploiting unpatched servers, deploying web shells, and utilizing VPN clients for persistence.
- The hacking group employs SoundBill shellcode loader, JuicyPotato, and Mimikatz for privilege escalation and credential theft.
- UAT-7237 uses RDP and SoftEther VPN for maintaining long-term access and expanding control over systems.
- A new variant of the FireWood backdoor, associated with Gelsemium, has been discovered with slight modifications.
Read More: https://thehackernews.com/2025/08/taiwan-web-servers-breached-by-uat-7237.html