A threat actor assessed to be linked with China has been observed conducting cyber intrusions against critical infrastructure organizations in North America since at least last year. The activity was identified by Cisco Talos, which is tracking the campaign under the designation UAT 8837.
Based on tactical similarities with previously documented operations, Talos assessed with medium confidence that the activity is associated with a China nexus advanced persistent threat group. Researchers noted that the actor appears to focus on gaining initial access to high value targets, particularly organizations operating critical services.
Initial Access and Attack Strategy
Cisco Talos stated that UAT 8837 commonly gains initial access by exploiting vulnerable internet facing servers or by abusing compromised credentials. Once inside a network, the threat actor deploys a collection of open source tools to gather sensitive data, including credentials, security configurations, and Active Directory details.
This approach allows the attacker to establish multiple access paths within victim environments, increasing persistence and resilience against detection or remediation efforts.
Exploitation of Sitecore Zero Day
The most recent intrusions attributed to UAT 8837 involved exploitation of a critical Sitecore vulnerability tracked as CVE-2025-53690, which carries a CVSS score of 9.0. The flaw was used as a zero day to gain initial access before Sitecore released patches in September 2025.
Cisco Talos noted that the intrusion shared tools, techniques, and infrastructure similarities with a campaign previously documented by Google owned Mandiant. While attribution between the two activity clusters remains unconfirmed, the overlap suggests access to advanced exploitation capabilities, including zero day vulnerabilities.
Post Compromise Activity
After establishing a foothold, the attacker performs reconnaissance across the compromised environment. One notable step includes disabling RestrictedAdmin for Remote Desktop Protocol, a security feature designed to protect credentials during remote sessions.
The threat actor then initiates hands on keyboard activity through cmd.exe and deploys multiple post exploitation tools to expand control and collect intelligence.
Tools Used in the Campaign
Cisco Talos identified a broad toolkit used by UAT 8837 during intrusions, including:
- GoTokenTheft to steal access tokens
- EarthWorm to establish reverse tunnels using SOCKS
- DWAgent for persistent remote access and Active Directory reconnaissance
- SharpHound to collect Active Directory relationship data
- Impacket to execute commands with elevated privileges
- GoExec to run commands on connected systems within the network
- Rubeus for Kerberos interaction and abuse
- Certipy for Active Directory discovery and certificate abuse
Researchers observed the actor executing commands specifically designed to harvest credentials and other sensitive organizational data.
Supply Chain Risks Identified
In at least one incident, UAT 8837 exfiltrated DLL based shared libraries associated with the victim’s proprietary products. Security analysts warned that these files could later be weaponized, either through trojanization or reverse engineering, creating a potential pathway for future supply chain attacks.
Broader Context and Government Warnings
This disclosure follows recent attribution of another China linked actor, UAT-7290, to espionage focused campaigns in South Asia and Southeastern Europe. Growing concern over Chinese cyber operations targeting critical infrastructure has led multiple Western governments to issue coordinated warnings.
Cybersecurity and intelligence agencies from Australia, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States recently released guidance highlighting the risks to operational technology environments.
The advisory urges organizations to reduce exposure, centralize network connectivity, enforce secure protocols, strengthen OT boundaries, monitor all connections, and retire obsolete systems that increase risk.
Agencies warned that exposed OT environments are actively targeted by both state sponsored actors and opportunistic groups, including hacktivists.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
