Overview

• Talos attributes recent breaches of Taiwanese web servers to UAT-7237, a China-linked subgroup of UAT-5918 active since 2022.
• Researchers observed a new variant of the bespoke SoundBill shellcode loader that carries Mimikatz for stealthier credential extraction.
• UAT-7237 maintains long-term access through SoftEther VPN configurations set to Simplified Chinese and direct RDP sessions.
• The threat actors deploy tools such as JuicyPotato and adjust Windows registry settings to disable UAC and store cleartext passwords.
• Intezer reports a low-confidence sighting of an evolving FireWood backdoor variant previously linked to China-aligned operators.