{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"Chinese APTs Target Taiwan: UAT-7237’s SoundBill Loader and Gelsemium’s FireWood Backdoor","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/7dfdeced\"></iframe>","width":"100%","height":180,"duration":1550,"description":"Taiwan continues to face an unprecedented wave of cyberattacks, with new intelligence exposing two distinct but sophisticated campaigns linked to Chinese threat actors. Together, they underscore Beijing’s increasingly aggressive cyber posture against Taiwan’s digital and critical infrastructure.The first campaign, attributed to UAT-7237, a subgroup of the China-aligned UAT-5918, has been active since 2022 and focuses heavily on Taiwan’s web infrastructure entities and VPN services. The group exploits unpatched internet-facing servers for initial access, then pivots to long-term persistence using customized open-source tools and SoftEther VPN. At the heart of their toolkit lies a bespoke shellcode loader dubbed “SoundBill,” designed to deploy Cobalt Strike payloads while embedding credential theft tools like Mimikatz. For privilege escalation, UAT-7237 relies on JuicyPotato, a technique widely associated with Chinese APTs. They also employ FScan for reconnaissance, RDP for persistence, and stolen LSASS credentials for lateral movement. Cisco Talos analysts emphasize that the group’s TTPs reflect a long-term strategy of infiltration and control, targeting cloud environments and sensitive enterprise systems.Meanwhile, a second campaign reveals a new Linux variant of the FireWood backdoor, linked with low confidence to the Gelsemium APT. FireWood, first documented in 2024, is a Linux RAT that leverages kernel-level rootkits and TEA-based encryption for stealth. The new variant maintains FireWood’s core capabilities—command execution, persistence, and data exfiltration—but introduces changes in its configuration and implementation to further evade detection. Analysts view this as part of a broader trend: China-aligned APTs are shifting from Windows-centric malware to Linux-based backdoors, targeting servers and hosting environments that often run the backbone of modern internet and enterprise services.This dual-track evolution illustrates a strategic adaptation by...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}