Typhoon-adjacent Chinese crew broke into Taiwanese web host

#### [Cyber-crime](/security/cyber_crime/)Typhoon-adjacent Chinese crew broke into Taiwanese web host===========================================================Is that a JuicyPotato on your network?————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 15 Aug 2025 // 21:47 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host) [](https://twitter.com/intent/tweet?text=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host&url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host&summary=Is%20that%20a%20JuicyPotato%20on%20your%20network%3f) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A suspected Chinese-government-backed cyber crew recently broke into a Taiwanese web hosting provider to steal credentials and plant backdoors for long-term access, using a mix of open-source and custom software tools, Cisco Talos reports.Talos tracks the Chinese-speaking advanced persistent threat (APT) group as UAT-7237 and says that it has been active since at least 2022.The security team estimated the active time period by analyzing a remote server hosting the SoftEther VPN client that UAT-7237 uses for persistent access. The server was created in September 2022 and last used in December 2024. The group also specified Simplified Chinese as the VPN’s preferred display language. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKBW2jgFiXbqxllZjl5t1QAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)Talos believes that this crew is a subgroup of another Chinese APT, [UAT-5918](https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/), which also targets Taiwan’s critical infrastructure and overlaps with several Beijing-backed goon squads, including [Volt Typhoon](https://www.theregister.com/2025/03/12/volt_tyhoon_experience_interview_with_gm/) and [Flax Typhoon](https://www.theregister.com/2024/09/18/fbi_flax_typhoon_ransomware/). ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKBW2jgFiXbqxllZjl5t1QAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)However, despite the overlaps, the threat hunters designate UAT-7237 as a separate group because of some distinct differences in its tactics, techniques, and procedures.Specifically, UAT-7237 primarily uses Cobalt Strike as its favored backdoor implant, while UAT-5918 prefers Meterpreter-based reverse shells. Post-compromise, UAT-5918 tends to deploy a ton of web shells, compared to UAT-7237, which is more selective and only deploys a few on select endpoints. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKBW2jgFiXbqxllZjl5t1QAAAQg&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)Additionally, UAT-5918 relies on web shells for backdoor access while UAT-7237 uses a combination of direct remote desktop protocol (RDP) and SoftEther VPN clients.In a Friday report, Talos documents an intrusion during which UAT-7237 compromised an unnamed Taiwanese web hosting provider. ‘It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure,’ Talos researchers Asheer Malhotra, Brandon White, and Vitor Ventura [wrote](https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/).The report doesn’t indicate how many other organizations UAT-7237 successfully compromised, nor does it specify other sectors this crew has targeted.Talos declined to answer any of *The Register* ‘s questions about the group’s victims, size and scope of recent campaigns, and the vulnerabilities UAT-7237 exploited to gain initial access. The security shop did publish indicators of compromise for its UAT-7237 research on its GitHub repository [here](https://github.com/Cisco-Talos/IOCs/tree/main/2025/08), so we’d suggest giving those a scan.### More reasons to patchAccording to the threat intel team, UAT-7237 gains initial access via known vulnerabilities on unpatched servers exposed to the internet. After they break in, they stealthily conduct reconnaissance to determine if the victim has anything of value and establish long-term access using the SoftEther VPN client.Post-compromise, the group deploys both custom-built and open-source tools. Among the customized malware, UAT-7237 uses SoundBill, a shellcode loader written in Chinese and based on [VTHello](https://github.com/cdxiaodong/some-function-in-binary/blob/08b66e5504f03373bd70341a4493a7450091c471/%E5%BC%82%E6%88%96%2B%E6%B7%B7%E6%B7%86/%E5%BC%82%E6%88%96%2B%E6%B7%B7%E6%B7%86/%E5%BC%82%E6%88%96%2B%E6%B7%B7%E6%B7%86.cpp).In addition to the shellcode, SoundBill contains two embedded executables that originate from QQ, a Chinese instant messaging software. Talos says that these are likely decoy files, used in phishing attacks.JuicyPotato, a privilege escalation tool popular with Chinese-speaking hackers, is another malware that UAT-7237 uses to execute commands on compromised endpoints.* [Typhoon-like gang slinging TLS certificate ‘signed’ by the Los Angeles Police Department](https://www.theregister.com/2025/06/23/lapdog_orb_network_attack_campaign/)* [FBI boss says China ‘burned down’ 260,000-device botnet when confronted by Feds](https://www.theregister.com/2024/09/18/fbi_flax_typhoon_ransomware/)* [Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers](https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/)* [Silk Typhoon spun a web of patents for offensive cyber tools, report says](https://www.theregister.com/2025/07/31/silk_typhoon_attack_patents/)The attackers ‘on several occasions’ attempted to change settings and configurations, adjust privileges to allow their malicious activity, and enable storage of cleartext passwords.They use other methods for their credential-stealing endeavors as well, including Mimikatz, to extract credentials from the infected endpoints, and search the registry and disk.Talos also notes that the crew uses another ‘likely open-source’ tool to invoke a BAT file and execute commands on the endpoints. They also deploy another executable, the [ssp_dump_lsass](https://github.com/xunyang1/ssp_dump_lsass/) project on GitHub, which dumps Local Security Authority Service (LSASS) memory and steals credentials. However, the JuicyPotato malware can also extract credentials via the BAT file, we’re told.For its network-scanning activities, UAT-7237 uses FScan to search for open ports against IP subnets and SMB scans to identify SMB service information on specific endpoints.And then, once the gang finds other accessible systems, they quickly conduct additional recon to see if they can pivot to these as well using the previously swiped credentials. ® [Sponsored: Riding the AI current: why leaders are letting it flow](https://go.theregister.com/tl/3222/shttps://www.theregister.com/2025/08/06/riding_ai_current_why/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host) [](https://twitter.com/intent/tweet?text=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host&url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host&summary=Is%20that%20a%20JuicyPotato%20on%20your%20network%3f) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [China](/Tag/China/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) More like these × ### More about* [China](/Tag/China/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [China Mobile](/Tag/China%20Mobile/)* [China telecom](/Tag/China%20telecom/)* [China Unicom](/Tag/China%20Unicom/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Cyberspace Administration of China](/Tag/Cyberspace%20Administration%20of%20China/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Great Firewall](/Tag/Great%20Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Hong Kong](/Tag/Hong%20Kong/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Information Technology and the People’s Republic of China](/Tag/Information%20Technology%20and%20the%20People%27s%20Republic%20of%20China/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [JD.com](/Tag/JD.com/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Semiconductor Manufacturing International Corporation](/Tag/Semiconductor%20Manufacturing%20International%20Corporation/)* [Shenzhen](/Tag/Shenzhen/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Uyghur Muslims](/Tag/Uyghur%20Muslims/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [APAC](/Tag/APAC/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host) [](https://twitter.com/intent/tweet?text=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host&url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Typhoon-adjacent%20Chinese%20crew%20broke%20into%20Taiwanese%20web%20host&summary=Is%20that%20a%20JuicyPotato%20on%20your%20network%3f) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) POST A COMMENT #### More about* [China](/Tag/China/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) More like these × ### More about* [China](/Tag/China/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [China Mobile](/Tag/China%20Mobile/)* [China telecom](/Tag/China%20telecom/)* [China Unicom](/Tag/China%20Unicom/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Cyberspace Administration of China](/Tag/Cyberspace%20Administration%20of%20China/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Great Firewall](/Tag/Great%20Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Hong Kong](/Tag/Hong%20Kong/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Information Technology and the People’s Republic of China](/Tag/Information%20Technology%20and%20the%20People%27s%20Republic%20of%20China/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [JD.com](/Tag/JD.com/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Semiconductor Manufacturing International Corporation](/Tag/Semiconductor%20Manufacturing%20International%20Corporation/)* [Shenzhen](/Tag/Shenzhen/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Uyghur Muslims](/Tag/Uyghur%20Muslims/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [APAC](/Tag/APAC/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessityComment Tells *The Reg* China’s ability to p0wn Redmond’s wares ‘gives me a political aneurysm’CSO8 days -| 40](/2025/08/08/exwhite_house_cyber_and_counterterrorism/?td=keepreading) [#### China says US spies exploited Microsoft Exchange zero-day to steal military infoSpy vs. spyCSO15 days -| 11](/2025/08/01/china_us_intel_attacks/?td=keepreading) [#### China’s botched Great Firewall upgrade invites attacks on its censorship infrastructureAttempts to censor QUIC traffic create chance to block access to offshore DNS resolversNetworks12 days -| 7](/2025/08/04/china_great_firewall_quic_security_flaws/?td=keepreading) [#### From hype to harm: 78% of CISOs see AI attacks alreadyAI attacks are keeping most practitioners up at night, says Darktrace, and with good reasonSponsored feature](/2025/05/16/cisos-report-ai-attacks/?td=keepreading) [#### Top spy says LinkedIn profiles that list defense work ‘recklessly invite attention of foreign intelligence services’Workers on joint US/UK/Australia nuclear submarine program are painting a target on themselvesCyber-crime15 days -| 45](/2025/08/01/asio_espionage_social_media_warning/?td=keepreading) [#### Ransomware crews don’t care about your endpoint security — they’ve already killed itSome custom malware, some legit software toolsCyber-crime1 day -| 14](/2025/08/14/edr_killers_ransomware/?td=keepreading) [#### SonicWall investigates ‘cyber incidents,’ including ransomware targeting suspected 0-dayBypassing MFA and deploying ransomware…sounds like something that rhymes with ‘schmero-day’Cyber-crime12 days -| 1](/2025/08/04/sonicwall_investigates_cyber_incidents/?td=keepreading) [#### Oh, great.Three notorious cybercrime gangs appear to be collaboratingScattered Spider, ShinyHunters, and Lapsus$ spent the weekend bragging to each other on a Telegram channelCyber-crime4 days -| 1](/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/?td=keepreading) [#### Manpower franchise discloses data theft after RansomHub posts alleged stolen dataAnd yes, there’s the usual credit monitoringCyber-crime4 days -| 4](/2025/08/12/manpower_franchise_data_breach/?td=keepreading) [#### Russia’s RomCom among those exploiting a WinRAR 0-day in highly-targeted attacksA few weeks earlier ‘zeroplayer’ advertised an $80K WinRAR 0-day exploitCyber-crime5 days -| 4](/2025/08/11/russias_romcom_among_those_exploiting/?td=keepreading) [#### Python-powered malware snags hundreds of credit cards, 200K passwords, and 4M cookiesPXA Stealer pilfers data from nearly 40 browsers, including ChromeCyber-crime12 days -| 9](/2025/08/04/pxa_stealer_4000_victims/?td=keepreading) [#### Fortinet discloses critical bug with working exploit code amid surge in brute-force attemptsIf there’s smoke?Patches3 days -| 10](/2025/08/13/fortinet_discloses_critical_bug/?td=keepreading)

Related Tags:
Insidious Taurus

DEV-0391

UNC3236

Voltzite

Vanguard Panda

Strawberry Tempest

Storm-0875

Octo Tempest

NAICS: 54 – Professional

Scientific

Technical Services

Associated Indicators:

Threat Intel Solutions

Typhoon-adjacent Chinese crew broke into Taiwanese web host

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us