Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools

UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools

UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools

https://firewall.firm.in/wp-content/uploads/2025/03/hacker-cde.png

Mar 21, 2025Ravie LakshmananThreat Hunting / Vulnerability

Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023.

“UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting,” Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said.

Cybersecurity

Besides critical infrastructure, some of the other targeted verticals include information technology, telecommunications, academia, and healthcare.

Assessed to be an advanced persistent threat (APT) group looking to establish long-term persistent access in victim environments, UAT-5918 is said to share tactical overlaps with several Chinese hacking crews tracked as Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.

Attack chains orchestrated by the group involve obtaining initial access by exploiting N-day security flaws in unpatched web and application servers exposed to the internet. The foothold is then used to drop several open-source tools to conduct network reconnaissance, system information gathering, and lateral movement.

UAT-5918’s post-exploitation tradecraft involves the use of Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts.

Cybersecurity

The threat actor has also been leveraging tools like Mimikatz, LaZagne, and a browser-based extractor dubbed BrowserDataLite to harvest credentials to further burrow deep into the target environment via RDP, WMIC, or Impact. Also used are Chopper web shell, Crowdoor, and SparrowDoor, the latter two of which have been previously put to use by another threat group called Earth Estries.

BrowserDataLite, in particular, is designed to pilfer login information, cookies, and browsing history from web browsers. The threat actor also engages in systematic data theft by enumerating local and shared drives to find data of interest.

“The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft,” the researchers said. “Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

Juniper Firewall
Cisco Firewall
Checkpoint Firewall
paloalto Firewall
Fortinet Firewall
Forcepoint Firewall

 

Sophos Firewall
WatchGuard Firewall
Barracuda Firewall
Sonicwall Firewall
GajShield Firewall
Seqrite Firewall

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket

Firewall Firm is a Managed Firewall Security Solution Provider Company in India | Digital Marketing by SEO Company India | Powered by IT Monteur