UAT-7237 is a Chinese-speaking advanced persistent threat group active since 2022, recently breaching a Taiwanese web hosting provider. The group employs a mixture of open-source and custom software tools, with Cobalt Strike as their primary backdoor implant. They utilize SoftEther VPN and direct RDP for persistent access while showing a preference for Simplified Chinese. UAT-7237 is seen as a distinct subgroup of UAT-5918, differing in tactics despite their similar target focus on Taiwan's critical infrastructure.
UAT-7237 primarily uses Cobalt Strike as its favored backdoor implant, while UAT-5918 prefers Meterpreter-based reverse shells.
UAT-7237 had a particular interest in gaining access to the victim organization's VPN and cloud infrastructure.
The server used by UAT-7237 for persistent access was created in September 2022 and last used in December 2024.
Collection
[
|
...
]