- Cisco Talos links a China-aligned actor, tracked as UAT-8837, to intrusions against North American critical infrastructure.
- The actor exploited a critical zero-day in Sitecore (CVE-2025-53690, CVSS 9.0) to gain initial access.
- After compromise, the actor uses open-source tools to harvest credentials and AD data and to establish persistent access.
Cisco Talos researchers reported that a China-nexus advanced persistent threat tracked as UAT-8837 has targeted critical infrastructure in North America since at least last year, aiming to gain access to high-value organizations, as detailed in their blog post (reported). The group most recently exploited a critical zero-day in Sitecore (CVE-2025-53690, CVSS 9.0) to obtain initial access.
Talos assessed with medium confidence that the actor aligns with China-based threat clusters and concluded the intrusions show similar tactics and infrastructure to prior campaigns (read more). "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims."
Once inside, the group disables RestrictedAdmin for Remote Desktop Protocol, a Microsoft security feature (Remote Credential Guard), and runs interactive commands via cmd.exe. Observed tools and utilities downloaded by the actor include GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy.
Researchers noted targeted commands to extract credentials and environment data. "UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations," they said. "In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products."
The disclosure follows other Talos reports and comes as multiple national agencies, coordinated through guidance from CISA and partners, warned about threats to operational technology and exposed OT connectivity (see notice).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Gold Could Soar to $8,000 by 2026 Amid Central-Bank Buying!!
- Political Liquidity and Quasi-QE Redefine Bitcoin Cycle Now!
- Crypto Whale Predicts 2026 Bull Run; Russell 2000 Rallies!!!
- Ethereum activity retention doubles as daily tx hit records.
- BlackRock Raises Dividend, Boosts Buybacks as Q4 Beats +BTC!
