Threat Actor 🇨🇳 China
UAT-7237
IoCs CSV
1 detection rule
UAT-7237 is a Chinese-speaking APT group that has been active since at least 2022, primarily targeting web infrastructure entities in Taiwan. They utilize a customized Shellcode loader known as “SoundBill” to execute shellcode, including Cobalt Strike payloads, and rely on SoftEther VPN clients and RDP for persistence and access. UAT-7237 employs techniques such as credential extraction using Mimikatz, reconnaissance with WMI-based tools, and selective deployment of web shells. Their operations indicate a focus on long-term persistence and stealth, with a preference for open-sourced and customized tooling.
Indicators of Compromise 13
Filename MyAppDomainManager.dll Filename PerfWatson2.exe Filename chrome_setup.zip SHA-256 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c SHA-256 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 SHA-256 9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472 SHA-256 cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 SHA-256 dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b SHA-256 f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1 IP 139.180.134.221 IP 202.182.102.5 IP 45.32.113.172 IP 45.76.210.43
MITRE ATT&CK TTPs 10
T1003 T1021 T1055.003 T1059.001 T1071.001 T1074 T1082 T1110 T1212 T1485
OS Credential Dumping
Credential Access
Remote Services
Lateral Movement
Thread Execution Hijacking
Defense Evasion
PowerShell
Execution
Web Protocols
Command And Control
Data Staged
Collection
System Information Discovery
Discovery
Brute Force
Credential Access
Exploitation for Credential Access
Credential Access
Data Destruction
Impact
Detection Rules
UAT_7237_SIGMA_Detection
sigma ai_generated
title: Detection of UAT-7237 (CL-STA-1062) Activity via AppDomainManager Injection and C2 Communication
id: 3a8d5e2b-9c1e-4f0a-9b2d-7a8c4f1c3e4a
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\AppDomainManager.dll'
selection_exe:
OriginalFileName: 'PerfWatson2.exe'
selection_cmd:
CommandLine|contains:
- 'powershell -exec bypass -w 1'
- 'regsvr32 /s /n /u /i:'
selection_net:
DestinationIp:
- '139.180.134.221'
- '202.182.102.5'
- '45.76.210.43'
- '45.32.113.172'
selection_file:
TargetFilename|endswith: '\chrome_setup.zip'
selection_hashes:
HashSha256:
- '00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c'
- 'f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1'
- 'dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b'
- 'cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3'
- '4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384'
- '9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472'
condition: 1 of selection_*
falsepositives:
- Legitimate software updates using similar filenames (rare)
- Administrative scripting with obfuscated commands (uncommon in standard user context)
level: critical ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.