UAT-5918 Threat Actor: Targeting Taiwan’s Critical Infrastructure & Telecom

22nd March 2025, Kathmandu

New threat actor UAT-5918 targets Taiwan’s critical infrastructure using web shells and open-source tools for long-term access and data theft. Learn more about their tactics.

UAT-5918 Threat Actor

According to researchers from Cisco Talos, the group is motivated by establishing long-term access for information theft and employs a combination of web shells and open-source tools to maintain persistence in victim environments.

Who is UAT-5918?

UAT-5918 is assessed to be an advanced persistent threat (APT) group with tactical overlaps with several Chinese-linked hacking crews, including Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit. The group’s operations align with the strategic goals of these known APT actors, focusing on espionage and data exfiltration.

How UAT-5918 Operates

The attack chain begins with the exploitation of N-day vulnerabilities in unpatched web and application servers exposed to the internet. Once initial access is gained, UAT-5918 deploys a suite of open-source tools for:

Network reconnaissance (e.g., FScan, In-Swor).

Credential harvesting (e.g., Mimikatz, LaZagne, BrowserDataLite).

Lateral movement (e.g., RDP, WMIC, Impacket).

The group also uses tools like Fast Reverse Proxy (FRP) and Neo-reGeorg to establish reverse proxy tunnels, enabling remote access to compromised endpoints.

Key Tools and Tactics

Web Shells: UAT-5918 deploys Chopper, Crowdoor, and SparrowDoor web shells to maintain persistence.

Credential Harvesting: Tools like Mimikatz and BrowserDataLite are used to steal login information, cookies, and browsing history.

Data Exfiltration: The group systematically enumerates local and shared drives to identify and exfiltrate sensitive data, including confidential documents, database backups, and application configurations.

Overlap with Known APT Groups

UAT-5918’s tactics, techniques, and procedures (TTPs) show significant overlap with other Chinese-linked APT groups:

Volt Typhoon: Use of ping and In-Swor for network discovery, and reliance on open-source tools like frp and Impacket.

Flax Typhoon: Deployment of Chopper web shells, Mimikatz, and WMIC for system information gathering.

Earth Estries and Tropic Trooper: Use of FRP, FScan, and Neo-reGeorg for establishing control channels.

Targeted Sectors and Geographies

UAT-5918 primarily targets entities in Taiwan, with a focus on:

Critical infrastructure

Telecommunications

Healthcare

Information technology

Academia

Why This Matters

The group’s ability to exploit unpatched vulnerabilities, coupled with its use of legitimate tools and manual post-exploitation activities, makes it a formidable threat. UAT-5918’s operations highlight the growing risk to critical infrastructure and the need for robust cybersecurity measures.

Cisco Talos’ Recommendations

Patch Management: Regularly update and patch web and application servers to mitigate N-day vulnerabilities.

Network Monitoring: Implement advanced threat detection systems to identify unusual activity, such as the use of open-source tools and web shells.

Credential Protection: Use multi-factor authentication (MFA) and regularly audit user credentials to prevent unauthorized access.

For more: UAT-5918 Threat Actor