Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools
Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools — Aug 15, 2025Ravie LakshmananMalware / Open Source Open-Source Hacking T
What’s new: A Chinese-speaking advanced persistent threat (APT) group, identified as UAT-7237, has breached web servers in Taiwan using customized open-source hacking tools. This group has been active since at least 2022 and is linked to UAT-5918, which targets critical infrastructure. The attacks exploit known vulnerabilities in unpatched servers and utilize a bespoke shellcode loader named SoundBill to deploy secondary payloads like Cobalt Strike. UAT-7237 employs methods such as remote desktop protocol (RDP) access and SoftEther VPN for persistent access.
Who’s affected
Web infrastructure entities in Taiwan are primarily affected, particularly those with unpatched servers exposed to the internet.
What to do
- Ensure all web servers are updated and patched against known vulnerabilities.
- Monitor for unusual access patterns, particularly involving RDP and VPN connections.
- Implement network segmentation to limit lateral movement within the infrastructure.
- Utilize threat detection tools to identify and mitigate the use of unauthorized software like Cobalt Strike and SoundBill.
