Threat actors believed to be aligned with China have been observed targeting critical infrastructure sectors in North America since at least the last year.
Cisco Talos, which is tracking this activity under the name UAT-8837, has assessed with medium confidence that this is a Chinese-aligned Advanced Persistent Threat (APT) actor based on tactical overlap with other campaigns launched by threat actors in the region.
The cybersecurity firm noted that based on observed tactics, techniques, and procedures (TTPs) and post-breach activity, threat actors are “primarily tasked with gaining initial access to high-value organizations.”
“After gaining initial access, either by successfully exploiting a vulnerable server or using compromised credentials, UAT-8837 primarily deploys open source tools to collect sensitive information such as credentials, security configurations, domain and Active Directory (AD) information, and create multiple access channels to victims,” it added.
UAT-8837 is said to have recently gained initial access by exploiting a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0), and this intrusion shares similarities in TTPs, tools, and infrastructure with a campaign detailed by Google-owned Mandiant in September 2025.
It is not clear whether these two clusters are the work of the same actor, but it suggests that UAT-8837 may have access to zero-day exploits to carry out cyberattacks.
Once the attacker has established a foothold on the target network, he conducts preliminary reconnaissance and then disables Remote Desktop Protocol (RDP) RestrictedAdmin. This is a security feature that prevents credentials and other user resources from being exposed to compromised remote hosts.
UAT-8837 is also said to open “cmd.exe” to perform actual keyboard operations on infected hosts and download several artifacts to enable post-exploitation attacks. Notable artifacts include:
GoTokenTheft, EarthWorm to steal access tokens, DWAgent to create a reverse tunnel to an attacker-controlled server using SOCKS, SharpHound to enable persistent remote access and Active Directory reconnaissance, Impacket to collect Active Directory information, GoExec to execute commands with elevated privileges, Rubeus, a Golang-based tool to execute commands on other connected remote endpoints in the victim’s network, Kerberos C#-based toolset for interactive exploitation Certipy, a tool for Active Directory detection and exploitation
Researchers Asheer Malhotra, Vitor Ventura, and Brandon White said, “UAT-8837 may execute a series of commands during a compromise to obtain credentials and other sensitive information from victim organizations.”
“For one victim organization, UAT-8837 exposed DLL-based shared libraries associated with the victim’s products, increasing the likelihood that these libraries will be trojanized in the future. This creates opportunities for supply chain compromise and reverse engineering to find vulnerabilities in those products.”
This disclosure comes a week after Talos determined that another China-linked threat actor, known as UAT-7290, used a family of malware including RushDrop, DriveSwitch, and SilentRaid to infiltrate organizations in South Asia and Southeast Europe for espionage purposes.
In recent years, Western governments have issued several warnings over concerns that Chinese threat actors are targeting critical infrastructure. Earlier this week, cybersecurity and intelligence agencies in Australia, Germany, the Netherlands, New Zealand, the United Kingdom and the United States warned of growing threats to operational technology (OT) environments.
The guidance provides a framework for designing, securing, and managing OT system connections and requires organizations to limit exposure, centralize and standardize network connections, use secure protocols, harden OT boundaries, ensure all connections are monitored and logged, and avoid using outdated assets that can increase the risk of security incidents.
“Exposed insecure OT connections are known to be targeted by both opportunistic and highly capable attackers,” the agency said. “This activity involves state-sponsored actors actively targeting national critical infrastructure (CNI) networks. The threat is not limited to state-sponsored actors, and recent incidents demonstrate how exposed OT infrastructure is being opportunistically targeted by hacktivists.”
Source link
