A threat actor, tracked as UAT-7237, has been observed targeting web infrastructure entities in Taiwan using tailored versions of open-source tools. The threat actor is believed to be a subgroup of UAT-5918, which has been active against Taiwanese critical infrastructure since at least 2023.
The attack chain begins with the exploitation of known vulnerabilities in publicly exposed servers. Once inside, attackers conduct reconnaissance to determine the value of the target. The group deploys the SoftEther VPN client to maintain persistence and using Remote Desktop Protocol (RDP) for later-stage access. This tactic differs from the UAT-5918 modus operandi, which tends to deploy web shells early in the intrusion process.
UAT-7237’s post-exploitation toolkit uses a custom shellcode loader known as SoundBill. Based on VTHello, the loader launches secondary payloads like Cobalt Strike, which the group uses as its primary backdoor. A newer version of SoundBill has been observed embedding credential-theft tools such as Mimikatz directly into the payload.
The group also leverages additional tools including JuicyPotato for privilege escalation and FScan for network reconnaissance. It also disables User Account Control (UAC) and enables storage of plaintext credentials in Windows Registry to gain more control within compromised environments.
In a separate report, cybersecurity firm Intezer detailed a new variant of the FireWood Linux backdoor, linked to the China-aligned Gelsemium group. The backdoor linked by ESET to “Project Wood” malware lineage, active since at least 2005, was involved in the earlier Operation TooHash campaign. It functions as a remote access trojan (RAT) on Linux systems, employing kernel-level rootkit modules (e.g., usbdev.ko) and TEA-based encryption to hide its presence, maintain persistence, and communicate with its command-and-control (C2) infrastructure. The researchers believe the malware is deployed via web shells on breached Linux systems. The backdoor allows intruders to execute commands, steal sensitive data such as system information and credentials, and conduct prolonged espionage operations.