Key Takeaways
Cisco Talos recently revealed that a China-linked hacking group — UAT-7237 — has been infiltrating Taiwanese web hosting providers since at least 2022, installing VPNs, backdoors, and credential-stealing tools to target clients across critical sectors.
More specifically, Cisco Talos noted that the group has shown “particular interest” in VPN and cloud management layers. Some analysts say it fits the “harvest later” method commonly used in cyberattacks.

The attacks highlight a growing risk that hosting platforms, not their tenants, could shoulder the blame for sophisticated nation-state espionage.
But who are UAT-7237, and why should hosting providers outside of Taiwan care? Well, it’s a reminder that a single compromise is all it takes to become the gateway to an entire customer base.
Evidence of Chinese Origin
The exact identity of UAT-7237 is unknown, but Cisco Talos has identified it as a Chinese-speaking nation-state-linked group.
More specifically, it’s a subgroup because of its Simplified Chinese configurations, Chinese-commented code, and QQ-linked chats, an instant messaging software by Tencent.
More importantly, Cisco Talos believes UAT-7237 is just one task force within a larger espionage ecosystem that lives under the UAT-5918 umbrella.
UAT-5918 has targeted Taiwan’s critical infrastructure sectors — including telecom, healthcare, and government services — since at least 2023. Like 7237, 5918’s main goal is to establish long-term information theft and credential harvesting.
Espionage Over Cash Grabbing
The million-dollar question is why.
Cisco Talos has already suggested that the goal is long-term, given the campaign dates back to 2022. That means fast cash is not the intention. With no ransomware and no miners, espionage is likely the only possibility left.
And it’s not James Bond-level spying; in this context, it’s merely about infiltrating systems to steal information. It’s not uncommon for espionage like this to last for years.
Here’s how the group has been getting in:
- They start with the basics, such as finding and exploiting unpatched servers.
- Once inside, they drop SoftEther VPN to hold their spot, and later come back with remote desktop access.
- They apparently bring their own tools. More specifically, they leverage a custom loader called SoundBill, to launch Cobalt Strike attacks and steal credentials.
What’s worse is that they are careful: Unlike other known groups, 7237 only plants web shells (a malicious script that initiates a backdoor) when necessary. They also depend on commonly used open-source tools so admins/threat scanners mistake them for normal activity.
Why Hosting Providers Should Care
The names of the compromised host(s) haven’t been publicly disclosed, but many security experts believe it’s likely they’re running infrastructure for critical sectors, such as government, finance, politics, and healthcare.
And that in itself is exactly why attackers tend to zero in on the host. It’s not about the provider itself, but that they offer gateway access to dozens or even thousands of clients.

SecurityWeek noted that this type of campaign could absolutely expose high-value targets hosted on those Taiwanese platforms. Cisco Talos also warned of a downstream risk to sensitive organizations.
Chinese hackers have a long history of targeting Taiwan:
- Operation Skeleton Key: A Chinese group called Chimera broke into at least seven Taiwanese chipmakers to steal source code and chip designs.
- Silver Fox APT: The Chinese-linked group ran phishing campaigns against Taiwan’s government, healthcare, and industrial sectors.
- Cyberattacks have doubled: Cyberattacks on Taiwan government departments doubled in 2024 compared to 2023, averaging 2.4 million attacks per day, with most of them deployed by Chinese groups.
“Although many of those attacks have been effectively detected and blocked, the growing numbers of attacks pinpoint the increasingly severe nature of China’s hacking activities,” Taiwan’s National Security Bureau report said.
Now, the group may be targeting Taiwanese providers, but that doesn’t mean everyone else is safe.
Since Taiwan is home to the world’s leading chipmakers, including TSMC — which supplies semiconductors to every major U.S. tech company — the attacks on Taiwanese infrastructure affects the entire global supply chain.
“One change in the supply chain can affect thousands of companies. And this all happens without detection.”— Nick Mistry, SVP & CISO at Lineaje
And it’s doubly frightening because UAT-7237 managed to slip in through known yet unpatched vulnerabilities. Whoever they are, it proves that nation-state groups view hosting platforms as gateways to tenants.
But when a client gets hacked, they won’t blame Beijing; they’ll blame the host.




