Cisco Talos threat intelligence team uncovered a malicious campaign tracked as UAT-5918, active since at least 2023.
UAT-5918 typically gains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. Once access is obtained, the threat actor uses a variety of open-source tools for network reconnaissance, exploring the compromised enterprise to identify potential pivot points for further exploitation.
The campaign is primarily focused on information theft. UAT-5918 deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points into the target systems.
The threat actor conducts credential harvesting to obtain both local and domain-level user credentials. The attackers also create new administrative user accounts to facilitate further access, including via Remote Desktop Protocol (RDP), especially targeting critical endpoints. The stolen credentials are used for lateral movement across the network, leveraging tools like WMIC (Windows Management Instrumentation) and PowerShell remoting, or Impacket.
UAT-5918 makes use of several open-source tools to carry out its operations, including networking tools (FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg); credential harvesting tools (Mimikatz, LaZagne, browser credential extractors); reconnaissance tools (FRP, FScan, and network discovery tools like In-Swor); privilege escalation tools (JuicyPotato, used as a web shell for privilege escalation); and web shells like the Chopper web shell, commonly deployed to maintain access to compromised servers.
UAT-5918 also relies on "living-off-the-land binaries" (LoLBins) to minimize detection.
The tactics and tools employed by UAT-5918 overlap with other state-sponsored threat groups. For instance, there are notable similarities with Volt Typhoon, such as the use of tools like In-Swor for network discovery, the gathering of system information, credential dumping from browsers, and the reliance on open-source tools like FRP and Earthworm. Similarly, the use of web shells and persistence techniques (e.g., RDP, WMIC) mirrors tactics seen in Flax Typhoon operations. The overlap extends to tools like Chopper, Mimikatz, JuicyPotato, and Metasploit, which have been observed in earlier Flax Typhoon campaigns.
Further, there are shared characteristics with the Earth Estries group, particularly in the use of FRP, FScan, and Impacket. Additionally, the tools and reconnaissance methods seen in UAT-5918 campaigns are consistent with those of the Dalbit group.
While overlaps suggest a shared or similar approach, some of UAT-5918’s tools, such as LaZagne, SNetCracker, PortBrute, and NetSpy, have not been seen in public reporting associated with other groups. This could indicate that these tools are either exclusive to UAT-5918 or not widely disclosed.
UAT-5918 has primarily targeted organizations in Taiwan, with a focus on critical sectors such as telecommunications, healthcare, information technology, and other infrastructure domains.
After successfully compromising a victim, UAT-5918 performs a series of reconnaissance activities to identify key users, domains, and systems. The threat actor then proceeds to deploy red-teaming and network scanning tools on endpoints to conduct further actions.
The threat actor establishes persistence through multiple channels, including RDP access, web shells, and other administrative accounts created on the compromised systems.
