Chinese Hackers Exploit Web Hosting Infrastructure for Cyberattacks

Cisco Talos researchers have uncovered a sophisticated Chinese-speaking advanced persistent threat (APT) group, designated UAT-7237, that has been actively targeting web hosting infrastructure in Taiwan since at least 2022.

The group demonstrates significant operational overlaps with previously identified threat actor UAT-5918, suggesting coordinated activities under a broader threat umbrella while employing distinct tactics to establish long-term persistence in high-value environments.

Custom Tools and VPNs Fuel Sophisticated Attacks

UAT-7237 distinguishes itself through a refined approach to maintaining persistent access, diverging from traditional web shell deployment strategies.

The group initially exploits known vulnerabilities on unpatched internet-facing servers before conducting rapid reconnaissance to assess target value.

Their sophisticated operational methodology includes several key components:

• Custom Shellcode Loader: The group deploys “SoundBill,” a custom tool built on the Chinese-language VTHello framework that can decode and execute various payloads, including Cobalt Strike beacons.
• VPN-Based Persistence: Rather than relying on web shells, UAT-7237 uses ...