| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UAT-7237 is a Chinese-speaking APT group that has been active since at least 2022, primarily targeting web infrastructure entities in Taiwan. They utilize a customized Shellcode loader known as “SoundBill” to execute shellcode, including Cobalt Strike payloads, and rely on SoftEther VPN clients and RDP for persistence and access. UAT-7237 employs techniques such as credential extraction using Mimikatz, reconnaissance with WMI-based tools, and selective deployment of web shells. Their operations indicate a focus on long-term persistence and stealth, with a preference for open-sourced and customized tooling.
There are currently no families associated with this actor.
| 2025-08-15
⋅
Cisco Talos
⋅
UAT-7237 targets Taiwanese web hosting infrastructure SoundBill UAT-7237 |