A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year.
Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region.
The cybersecurity company noted that the threat actor is “primarily tasked with obtaining initial access to high-value organizations,” based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed.
“After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims,” it added.
UAT-8837 is said to have most recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access, with the intrusion sharing TTP, tooling, and infrastructure similarities with a campaign detailed by Google-owned Mandiant in September 2025. SiteCore released fixes for the flaw early that month.
While it’s not clear if these two clusters are the work of the same actor, it suggests that UAT-8837 may have access to zero-day exploits to conduct cyber attacks.
Once the adversary obtains a foothold in target networks, it conducts preliminary reconnaissance, followed by disabling RestrictedAdmin for Remote Desktop Protocol (RDP), a security feature that ensures credentials and other user resources aren’t exposed to compromised remote hosts.
UAT-8837 is also said to open “cmd.exe” to conduct hands-on keyboard activity on the infected host and download several artifacts to enable post-exploitation. Some of the notable tools include –
- GoTokenTheft, to steal access tokens
- EarthWorm, to create a reverse tunnel to attacker-controlled servers using SOCKS
- DWAgent, to enable persistent remote access and Active Directory reconnaissance
- SharpHound, to collect Active Directory information
- Impacket, to run commands with elevated privileges
- GoExec, a Golang-based tool to execute commands on other connected remote endpoints within the victim’s network
- Rubeus, a C# based toolset for Kerberos interaction and abuse
- Certipy, a tool for Active Directory discovery and abuse
“UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations,” researchers Asheer Malhotra, Vitor Ventura, and Brandon White said.
“In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products.”
The disclosure comes a week after Talos attributed another China-nexus threat actor known as UAT-7290 to espionage-focused intrusions against entities in South Asia and Southeastern Europe using malware families such as RushDrop, DriveSwitch, and SilentRaid.
In recent years, concerns about Chinese threat actors targeting critical infrastructure have prompted Western governments to issue several alerts. Earlier this week, cybersecurity and intelligence agencies from Australia, Germany, the Netherlands, New Zealand, the U.K., and the U.S. warned about the growing threats to operational technology (OT) environments.
The guidance offers a framework to design, secure, and manage connectivity in OT systems, urging organizations to limit exposure, centralize and standardize network connections, use secure protocols, harden OT boundary, ensure all connectivity is monitored and logged, and avoid using obsolete assets that could heighten the risk of security incidents.
“Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” the agencies said. “This activity includes state-sponsored actors actively targeting critical national infrastructure (CNI) networks. The threat is not just limited to state-sponsored actors with recent incidents showing how exposed OT infrastructure is opportunistically targeted by hacktivists.”
(The story was updated after publication to emphasize that the vulnerability is not new and that it was patched by SiteCore in September 2025.)
