UAT-7237 Targets Taiwanese Web Hosting Infrastructure

    Monday, August 18, 2025 In: Threat Research Print

    Date: 08/18/2025

    Severity: Medium

    Summary

    UAT-7237 is a Chinese-speaking APT group active since at least 2022, with strong links to UAT-5918. It recently targeted web infrastructure entities in Taiwan, using heavily customized open-source tools to evade detection and maintain long-term persistence in high-value environments. The group also employs a customized shellcode loader known as "SoundBill," capable of decoding and loading various shellcodes, including Cobalt Strike.

    Indicators of Compromise (IOC) List

    URL/Domain

    cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1.on.aws

    http://141.164.50.141/sdksdk608/win-x64.rar

    IP Address

    141.164.50.141

    Hash

    450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a

    6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa

    E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044

    B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477

    864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5

    Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386

    0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7

    7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://141.164.50.141/sdksdk608/win-x64.rar" or siteurl like "http://141.164.50.141/sdksdk608/win-x64.rar" or url like "http://141.164.50.141/sdksdk608/win-x64.rar" or domainname like "cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1.on.aws" or siteurl like "cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1.on.aws" or url like "cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1.on.aws"

    Detection Query 2 : 

    dstipaddress IN ("141.164.50.141") or srcipaddress IN ("141.164.50.141")

    Detection Query 3 :

    sha256hash IN ("Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386","0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7","450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a","6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa","E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044","B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477","864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5","7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f")

    Reference:    

    https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/


    Tags

    MalwareThreat ActorSoundBillAPTUAT-7237UAT-5918ChinaTaiwanCobalt Strike

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.