A series of recent cyberattacks on Taiwan’s core web infrastructure has been attributed to a Chinese-speaking advanced persistent threat group (APT), raising concerns about the resilience of networks in the region. Security experts warn that the group, tracked as UAT-7237, is not only adapting open-source tools but also modifying them in ways that allow for long-term and stealthy access inside high-value enterprise environments.
Cisco Talos researchers say the campaign reflects a calculated escalation of Chinese-aligned activity directed at Taiwan. The group has been active since at least 2022 and is now believed to operate as a sub-cluster of UAT-5918, another threat actor notorious for credential theft and the deployment of web shells. While the broader group typically favors fast deployment of web backdoors, UAT-7237 demonstrates a different, more measured approach that places emphasis on persistence and evasion.
The recent intrusions show that attackers initially compromise unpatched, internet-facing servers before conducting reconnaissance with commands such as nslookup and systeminfo. Once inside, UAT-7237 diverges from conventional tactics by bypassing web shells and instead using SoftEther VPN clients and Remote Desktop Protocol (RDP) connections to maintain its foothold. Notably, in some attacks, web shells are used selectively during later intrusion stages, rather than as an immediate fallback for persistence, a measured divergence from earlier UAT-5918 campaigns that prioritized rapid backdoor access.
At the core of the group’s arsenal is SoundBill, a tailored shellcode loader designed to unpack and run additional malicious code. Investigators have observed it being used to deliver widely recognized offensive frameworks, such as Cobalt Strike, which provides command-and-control capabilities, and Mimikatz, a tool favored for credential theft. In some incidents, researchers found Mimikatz embedded directly inside SoundBill itself, a sign of the attackers’ skill in folding open-source malware into custom loaders. To elevate privileges, the operators often rely on utilities like JuicyPotato, while also weakening Windows defenses by switching off User Account Control (UAC) and enabling features that permit passwords to be stored in cleartext.
Researchers pointed out that the VPN software deployed in the operation had been set to Simplified Chinese, offering a clear clue about the operators’ language background. Logs further revealed that the same VPN infrastructure remained active for over two years, from September 2022 until December 2024, a clear indication that the operators were prepared for a drawn-out campaign and had no intention of giving up their foothold quickly.
The findings position UAT-7237 firmly within a pattern of Chinese-linked cyber operations targeting espionage and long-term intelligence collection in Taiwan. Security analysts warn that organizations cannot afford to delay basic defenses. Exposed servers must be patched quickly, access through Remote Desktop Protocol should be tightly restricted, and multi-factor authentication must become standard rather than optional. Current sector analysis shows that MFA adoption in core Taiwanese IT environments remains below regional best practice benchmarks, while average patch timelines for exposed services often exceed recommended intervals. Organizations should prioritize accelerating these remediation cycles to reduce dwell time and prevent initial foothold establishment.
Another concern, researchers add, is the way attackers are reworking publicly available malware into customized variants that slip past conventional defenses. The picture that emerges is of an adversary that is patient and adaptable, and as a result, Taiwan’s core digital infrastructure continues to operate under unrelenting pressure from hostile actors determined to keep a foothold inside critical networks.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
