Security researchers have uncovered a new Chinese-linked hacker group systematically targeting Taiwan’s web hosting companies in what experts describe as a long-term cyber espionage campaign. The group, identified as UAT-7237 by Cisco Talos analysts, has been found infiltrating hosting infrastructure, stealing credentials, and deploying advanced malware designed to maintain persistence within networks.
Advanced Tools and Espionage Techniques
Investigators say the group’s operations bear similarities to well-documented state-backed clusters such as Volt Typhoon and Flax Typhoon, though formal attribution remains unconfirmed. UAT-7237 is reportedly using custom shellcode loaders, including a tool dubbed SoundBite, alongside Cobalt Strike beacons to establish command-and-control channels.
The hackers exploit vulnerabilities in outdated and unpatched servers, frequently leveraging Remote Desktop Protocol (RDP) and SoftEther VPN clients to gain footholds inside corporate systems. Once inside, they conduct network reconnaissance, harvest passwords, and deploy malware that creates hidden backdoors for sustained access.
Cisco Talos noted a recent intrusion attempt on a major Taiwanese hosting provider, in which attackers sought access to both VPN and cloud services, a move that could have compromised thousands of downstream clients.
Strategic Threat to Taiwan’s Digital Infrastructure
Taiwan’s web hosting companies form the backbone of the island’s digital services, powering business platforms, e-commerce, and government portals. Experts warn that compromising such providers could allow Beijing-backed actors to conduct widespread surveillance and sabotage critical infrastructure.
One analyst involved in the research stated that the concern is not just data theft. The group’s tactics suggest an intention to quietly occupy hosting environments over the long term, giving them strategic leverage.
Cybersecurity specialists have urged Taiwan’s hosting firms to immediately strengthen defences, patch outdated systems, and monitor for suspicious VPN activity. Analysts emphasize that the campaign is consistent with China’s broader geopolitical posture toward Taiwan, where cyber operations often precede or accompany diplomatic and military pressure.
For Taiwan, the discovery of UAT-7237 reinforces the urgent need to bolster cyber resilience against increasingly sophisticated state-backed threats.
