Chinese APT embeds in Taiwan hosting providers to maintain stealthy access
A newly identified cyber campaign is putting Taiwan’s web hosting providers under pressure, with Cisco Talos researchers warning of a group that seems intent on long-term infiltration rather than quick theft. The group, tracked as UAT-7237, has been active for more than two years and is believed to fall under the wider umbrella of UAT-5918, a cluster tied to several known Chinese advanced persistent threats, including Volt Typhoon and Flax Typhoon.
Investigators say the attackers are not relying on cutting-edge exploits. Instead, they are using a blend of familiar techniques and legitimate software to quietly embed themselves. Initial access reportedly came through vulnerabilities in exposed servers. Once inside, the attackers stuck with Remote Desktop Protocol and SoftEther VPN to keep access—pretty much camouflaging their presence as normal admin traffic.
Their toolkit wasn’t one-size-fits-all, either. Some tools were standard, straight from the market. Among the most notable is SoundBill, a shellcode loader written in Chinese and linked to QQ messenger files. This loader functioned as a highly versatile tool for the attackers, enabling them to deploy a broad spectrum of payloads—from customized Mimikatz binaries to Cobalt Strike modules tailored for command execution and data exfiltration.
They didn’t confine themselves to basic techniques, either. Instead, they employed advanced privilege escalation utilities like JuicyPotato (the name’s odd, but the tool is effective) and leveraged network scanners such as Fscan.
Talos analysts highlight that this isn’t just some isolated case. It’s part of a broader shift: Chinese-linked threat actors are now blending legitimate software with tried-and-true hacking utilities. The whole point? To fly under the radar. When defenders see normal IT tools mixed in with suspicious activity, it’s way harder to draw a clean line between everyday operations and an actual attack.
And let’s not overlook SoftEther VPN. Its use here isn’t random; it’s a pretty clear indicator of intent and sophistication in the attackers’ methods. Records suggest the attackers have been running their infrastructure since late 2022, which indicates a patient, methodical approach. For hosting providers, that kind of persistence carries a significant risk, since one compromised provider can expose a wide chain of downstream clients.
In the context of Taiwan’s already tense cybersecurity environment, the findings highlight how attackers are moving toward operations designed not just for access, but for endurance.
