Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

SoundBill

SoundBill is a custom shellcode loader tracked by Cisco Talos and used by the Chinese-speaking APT group UAT-7237 in intrusions targeting web infrastructure entities in Taiwan, including a Taiwanese web hosting provider. Talos reports the group has been active since at least 2022 and likely operates as a subgroup of UAT-5918. SoundBill is written in Chinese and is based on VTHello. Its core function is to decode a local file, including ptiti.txt, and load and execute the resulting shellcode. Talos states it can decode and load arbitrary shellcode, including Cobalt Strike payloads, custom Mimikatz functionality, and code enabling arbitrary command execution. The malware has been described as designed to decode and launch secondary payloads such as Cobalt Strike, which UAT-7237 uses as a staple backdoor implant for long-term access. Talos also reported that SoundBill contains two embedded executables originating from QQ, assessed as likely decoy files for spear-phishing lures. Associated activity includes exploitation of known vulnerabilities on unpatched internet-exposed servers for initial access, followed by reconnaissance, credential theft, lateral movement, and persistence via RDP and SoftEther VPN. Related credential-access activity observed in the same operations included LSASS dumping, registry searches for VNC credentials, and attempts to weaken Windows security by enabling WDigest cleartext credential storage and disabling UAC remote restrictions. Talos observed SoundBill-compatible Cobalt Strike beacons communicating over HTTPS to cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws. The reporting also references attacker infrastructure at 141[.]164[.]50[.]141 and URLs under http[://]141[.]164[.]50[.]141/sdksdk608/ as part of the broader UAT-7237 tool delivery activity.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAT-7237

Talos researchers observed the UAT-7237 APT group using a customized Shellcode loader tracked as “SoundBill.” SoundBill can be employed to decode and load any shellcode, including Cobalt Strike.

via securityaffairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2
TacticInitial Access

SoundBill has two built-in programs from QQ, a Chinese messaging app, likely used as decoys in phishing attacks.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1
TacticExecution

“…code leading to arbitrary command execution…”

T1129Shared ModulesEvidence1
TacticExecution

Talos researchers observed the UAT-7237 APT group using a customized Shellcode loader tracked as “SoundBill.” SoundBill can be employed to decode and load any shellcode, including Cobalt Strike.

Credential Access

1 technique
T1003OS Credential DumpingEvidence2
TacticCredential Access

Credentials are primarily harvested with Mimikatz, sometimes embedded in SoundBill, and through LSASS dumping (Project1.exe) or registry searches for VNC credentials.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
govinfosecurityNews
Aug 21, 2025
Breach Roundup: Scattered Spider Hacker Gets 10 Years

A custom shellcode loader used to load varying payloads, including a customized Mimikatz implementation, arbitrary command execution tooling, or position-independent Cobalt Strike payloads for long-term access and information stealing.

Read more
bank info securityNews
Aug 21, 2025
Breach Roundup: Scattered Spider Hacker Gets 10 Years

A custom shellcode loader used to load varying payloads, including a customized Mimikatz implementation, arbitrary command execution tooling, or position-independent Cobalt Strike payloads for long-term access and information stealing.

Read more
risky biz rssNews
Aug 17, 2025
Risky Bulletin: Academics pull off novel 5G attack

A shellcode loader used by the APT group UAT-7237 in attacks targeting Taiwan, likely to load further malicious payloads.

Read more
securityaffairsNews
Aug 16, 2025
Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

A customized shellcode loader used by UAT-7237 to decode and execute shellcode from files such as ptiti.txt, enabling delivery of payloads including Mimikatz and Cobalt Strike for credential theft and long-term persistence.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.