Overview

• On August 15, Cisco Talos linked recent breaches of an unnamed Taiwanese web hosting provider to the Chinese-speaking APT subgroup UAT-7237.
• The researchers released IoCs and an operational timeline on GitHub, revealing UAT-7237 activity from September 2022 to December 2024.
• UAT-7237 exploits known flaws on unpatched servers to conduct reconnaissance and establish persistence using SoftEther VPN clients and RDP access.
• The group deploys a custom SoundBill loader to launch Cobalt Strike and leverages JuicyPotato, Mimikatz and registry changes for credential theft and lateral movement.
• Talos warned that limited disclosure of exploited vulnerabilities and the full victim list underscores the need for defenders to patch exposed servers and scan published indicators.