Chinese APT UAT-8837 Wages Sophisticated Campaign Against North American Critical Infrastructure

Reach security professionals who buy.

850K+ monthly readers 72% have budget authority

Cisco Talos reveals China-nexus threat actor deploying zero-day exploits and advanced toolkit in targeted attacks on high-value organizations

In a stark warning to critical infrastructure operators across North America, Cisco Talos has unveiled details of an ongoing espionage campaign orchestrated by UAT-8837, a sophisticated China-nexus advanced persistent threat (APT) actor that has been systematically targeting high-value organizations since at least 2025. The campaign represents yet another escalation in state-sponsored cyber operations against the continent’s most critical assets.

The Threat Actor: UAT-8837

Cisco Talos assesses with medium confidence that UAT-8837 operates as part of China’s broader cyber espionage apparatus, drawing this conclusion from tactical overlaps with known Chinese threat actors. The group’s operational focus appears singular: establishing initial access to high-value organizations within North America’s critical infrastructure sectors.

What distinguishes UAT-8837 from many threat actors is their apparent specialization in the initial access phase of cyber intrusions. Based on post-compromise activity observed across multiple breaches, researchers believe the group may function as an access broker, establishing footholds that enable broader espionage operations by other Chinese state-sponsored teams.

The targeting pattern, while appearing sporadic at first glance, reveals a deliberate focus on critical infrastructure organizations that underpin North American economic and security interests.

Exploiting Zero-Day Vulnerabilities

The most concerning aspect of the UAT-8837 campaign is the threat actor’s demonstrated access to zero-day exploits. Most recently, the group leveraged CVE-2025-53690, a critical ViewState deserialization vulnerability in Sitecore products, to breach victim organizations.

CVE-2025-53690: A Supply Chain Time Bomb

The Sitecore vulnerability carries a CVSS score of 9.0 and stems from a particularly insidious source: sample ASP.NET machine keys published in official deployment documentation prior to 2017. Organizations that followed these early deployment guides inadvertently introduced a severe security flaw into their production environments.

The vulnerability affects multiple Sitecore products:

Sitecore Experience Manager (XM)
Sitecore Experience Platform (XP)
Sitecore Experience Commerce (XC)
Sitecore Managed Cloud deployments

When attackers possess the exposed machine key, they can craft malicious ViewState payloads that bypass validation mechanisms, leading to remote code execution with system-level privileges. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog in September 2025, mandating federal civilian agencies patch the flaw by September 25.

The tactical overlap between UAT-8837’s exploitation of this zero-day and a campaign documented by Google’s Mandiant team suggests a coordinated approach to vulnerability weaponization within Chinese intelligence services.

A Swiss Army Knife of Post-Compromise Tools

Following initial access, UAT-8837 demonstrates remarkable operational flexibility, deploying an extensive arsenal of both open-source and custom tools. The threat actor’s toolkit reveals a sophisticated understanding of detection evasion and lateral movement techniques.

Network Tunneling and Remote Access

Earthworm serves as UAT-8837’s primary network tunneling solution. This tool, extensively used by Chinese-speaking threat actors, allows attackers to expose internal network endpoints to external infrastructure. Cisco Talos observed the threat actor deploying multiple versions of Earthworm, cycling through variants to identify which ones evade endpoint protection products. The undetected version is then used to establish reverse tunnels to attacker-controlled servers across various ports (80, 443, 447, 448, 1433, 8888, 11112).

DWAgent, an open-source remote administration tool, provides persistent access to compromised systems. UAT-8837 leverages this legitimate software for sustained remote access and additional malware deployment, making detection more challenging as the tool itself is not inherently malicious.

Active Directory Reconnaissance

UAT-8837 demonstrates sophisticated Active Directory (AD) targeting capabilities through multiple tools:

SharpHound enables comprehensive AD enumeration, mapping domain relationships, permissions, and potential attack paths. This BloodHound collector provides threat actors with a complete picture of domain architecture.

Certipy facilitates both AD discovery and abuse, allowing attackers to identify misconfigurations in Active Directory Certificate Services (ADCS) that can be exploited for privilege escalation and persistence.

The threat actor also deploys native Windows utilities like dsquery and dsget for targeted AD reconnaissance, demonstrating a “living off the land” approach that reduces detection risk.

Credential Theft and Token Manipulation

GoTokenTheft, a Golang-based utility, enables UAT-8837 to steal access tokens and execute commands with elevated privileges. The tool exemplifies the group’s preference for Golang-developed tools, likely due to their cross-platform compatibility and difficulty in reverse engineering.

Rubeus, a C# toolset for Kerberos abuse, allows the threat actor to request and manipulate Kerberos tickets, enabling credential theft and golden ticket attacks.

Lateral Movement Tools

GoExec, another Golang-based tool, facilitates remote code execution on other network endpoints. Cisco Talos observed UAT-8837 using this tool via WMI and DCOM for lateral movement across victim networks.

Impacket, though frequently detected and blocked by endpoint security products, remains part of the threat actor’s arsenal. When detected, UAT-8837 pivots to alternatives like Invoke-WMIExec, demonstrating operational flexibility.

Tactical Sophistication: Evasion and Persistence

UAT-8837’s operational tradecraft reveals several sophisticated techniques:

Detection Evasion

The threat actor’s most notable evasion technique involves cycling through multiple tool variants. When security products detect and block a specific version of Earthworm or Impacket, UAT-8837 immediately deploys alternative versions, continuing this process until finding an undetected variant. This approach suggests either extensive tool repositories or rapid capability development.

RDP Manipulation

UAT-8837 consistently disables RestrictedAdmin for Remote Desktop Protocol, a security feature designed to prevent credential exposure during remote sessions. This registry modification enables credential harvesting during RDP sessions:

REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

Staging Directories

The threat actor favors specific directories for staging artifacts:

C:\Users\<user>\Desktop\
C:\windows\temp\
C:\windows\public\music
C:\users\public\videos

These locations, particularly the public directories, provide accessible staging areas that don’t require elevated privileges.

Supply Chain Reconnaissance

In a particularly concerning observation, Cisco Talos noted that UAT-8837 exfiltrated DLL-based shared libraries related to victim organization products. This activity raises the possibility of future supply chain compromises through trojanized libraries or reverse engineering to identify product vulnerabilities.

Hands-On Keyboard Operations

UAT-8837’s post-compromise activity demonstrates methodical reconnaissance and privilege escalation:

Preliminary Reconnaissance

The threat actor begins with basic system enumeration:

ping google.com
tasklist /svc
netstat -aon -p TCP
whoami
quser
hostname
net user

Security Configuration Extraction

UAT-8837 uses secedit to export Windows local security policies, including password policies, user rights, and audit settings. This information enables threat actors to understand the security posture and identify weaknesses:

secedit /export /cfg C:\windows\temp\pol.txt

Credential Harvesting

The threat actor searches for Group Policy Preferences (GPP) passwords:

findstr /S /l cpassword [\\]\policies\*.xml

Domain Reconnaissance

Extensive domain enumeration follows initial access:

net group domain admins /domain
net localgroup administrators /domain
net user <user> /domain
net accounts /domain
nltest /DCLIST:<domain>
setspn -Q */*

Persistence Through User Accounts

UAT-8837 establishes persistence by creating backdoor accounts or adding existing accounts to privileged groups:

net user <user> <password> /add /domain
net localgroup <group> <user> /add

The Broader Context: Salt Typhoon and Congressional Targeting

The UAT-8837 campaign doesn’t exist in isolation. Recent months have seen escalating Chinese cyber operations against North American targets, most notably the Salt Typhoon campaign that has expanded beyond telecom to target critical US data infrastructure.

Salt Typhoon’s Congressional Breach

In December 2025, the same month UAT-8837 intrusions were detected, the Salt Typhoon threat actor successfully breached email systems used by congressional staffers on sensitive House committees, including:

House China Committee
Foreign Affairs Committee
Intelligence Committee
Armed Services Committee

While it remains unclear whether the email contents were accessed, the targeting of these specific committees reveals strategic intelligence gathering focused on U.S. China policy, military affairs, and intelligence operations. Previous Salt Typhoon operations also compromised U.S. Army National Guard networks for nine months in 2024, stealing network configuration files and administrator credentials.

Salt Typhoon, believed to be operated by China’s Ministry of State Security, previously infiltrated at least nine major U.S. telecommunications companies, including AT&T, Verizon, and T-Mobile. The campaign accessed systems used for court-authorized wiretapping under CALEA, potentially compromising metadata from over one million users, particularly concentrated in the Washington, D.C. area.

Senate Intelligence Committee Chairman Mark Warner characterized Salt Typhoon as “the worst telecom hack in our nation’s history.”

Coordinated State-Sponsored Operations

The temporal overlap and tactical similarities between UAT-8837 and Salt Typhoon suggest coordinated operations within China’s Ministry of State Security cyber espionage apparatus. Both campaigns demonstrate:

Focus on high-value U.S. targets
Long-term persistent access objectives
Sophisticated evasion techniques
Strategic intelligence collection goals

As detailed in our analysis of Chinese state-sponsored campaigns targeting global network infrastructure, these operations represent coordinated efforts involving multiple APT groups with distinct but complementary missions.

Western Response: New OT Security Guidance

Recognizing the escalating threat to critical infrastructure, cybersecurity agencies from the United States, United Kingdom, Australia, Canada, Germany, the Netherlands, and New Zealand jointly released new guidance on January 15, 2026, addressing the security of operational technology (OT) environments.

The guidance, “Secure Connectivity Principles for Operational Technology,” emphasizes that “exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors.” It cites previous advisories on China state-sponsored cyber activity and pro-Russia hacktivist attacks against global critical infrastructure.

The document outlines eight key security principles for OT environments:

Network segmentation to isolate critical systems
Strong authentication mechanisms
Continuous monitoring and logging
Minimizing remote access pathways
Secure configuration management
Regular security assessments
Incident response planning
Supply chain security measures

Brett Leatherman, assistant director of the FBI’s cyber division, emphasized the stakes: “In Operational Technology (OT) environments, the consequences of a cybersecurity attack go far beyond data theft. Disruption here can impact safety and national security.”

Defensive Recommendations

Organizations, particularly those in critical infrastructure sectors, should implement the following defensive measures:

Immediate Actions

Patch CVE-2025-53690: If running any Sitecore products, immediately verify machine key configurations and apply vendor patches
Hunt for IOCs: Scan for the indicators of compromise published by Cisco Talos (available on their GitHub repository)
Review ViewState implementations: Audit all ASP.NET applications for ViewState security configurations
Enable RestrictedAdmin: Ensure RDP RestrictedAdmin mode is properly configured

Strategic Defenses

Network Segmentation: Implement robust segmentation between IT and OT networks, with carefully controlled access points
EDR Deployment: Deploy comprehensive endpoint detection and response solutions that can identify tool cycling behavior Active Directory Hardening:
Implement ADCS security best practices
Monitor for suspicious SPNs and Kerberos requests
Deploy LAPS for local administrator password management
Behavioral Analytics: Implement User and Entity Behavior Analytics (UEBA) to detect anomalous lateral movement patterns Logging and Monitoring:
Enable comprehensive PowerShell script block logging
Monitor for unusual process execution from staging directories
Alert on registry modifications to RDP settings

Detection Opportunities

Several UAT-8837 techniques present detection opportunities:

Process Execution Patterns: Monitor for:

Golang executables with suspicious names (*.ico files)
Command-line patterns matching Earthworm, GoExec
Successive execution of similar tools (tool cycling)

Network Indicators: Watch for:

Unusual outbound connections on non-standard ports
Reverse tunneling traffic patterns
Connections to known malicious infrastructure

Active Directory Activity: Alert on:

Unusual dsquery/dsget usage
SPN enumeration (setspn -Q)
Abnormal Kerberos ticket requests
Unexpected user account creation

The Intelligence Assessment

The UAT-8837 campaign underscores several concerning trends in state-sponsored cyber operations:

Specialization: The apparent role of UAT-8837 as an initial access specialist suggests sophisticated division of labor within Chinese cyber operations, with different units handling access, exploitation, and exfiltration.

Zero-Day Access: The group’s demonstrated use of zero-day exploits indicates either in-house vulnerability research capabilities or access to a vulnerability broker network within Chinese intelligence services.

Tool Cycling: The methodical cycling through tool variants to evade detection shows operational maturity and suggests extensive tool libraries or rapid development capabilities.

Strategic Targeting: The focus on critical infrastructure and supply chain elements indicates long-term strategic objectives beyond immediate intelligence gathering. As observed in China’s PurpleHaze campaign targeting cybersecurity vendors, these operations seek to compromise the security ecosystem itself.

Conclusion

The UAT-8837 campaign represents a sophisticated, persistent threat to North American critical infrastructure. The threat actor’s combination of zero-day exploitation, extensive toolkit, and evasion techniques demands a coordinated defensive response from both government and private sector organizations.

The temporal and tactical overlap with broader campaigns like Salt Typhoon suggests a well-orchestrated, multi-pronged approach to strategic intelligence collection and pre-positioning within critical infrastructure. Organizations in targeted sectors must recognize that they face not opportunistic criminals but well-resourced, patient state actors with strategic objectives.

The revelation that UAT-8837 successfully exploited CVE-2025-53690 as a zero-day underscores the critical importance of security configuration management and the lasting impact of insecure deployment practices. A sample machine key published in 2017 deployment documentation became a strategic vulnerability in 2025, demonstrating how technical debt can transform into existential risk.

For critical infrastructure operators, the message is clear: comprehensive security programs, proactive threat hunting, and rapid incident response capabilities are no longer optional. They are essential components of operational resilience in an era of persistent state-sponsored cyber campaigns.

As detailed in our comprehensive analysis of how China’s cyber operations have evolved to dwarf Western capabilities, UAT-8837 represents just one component of a vast, coordinated digital warfare strategy that poses an existential threat to North American critical infrastructure.

Additional Resources

Cisco Talos Report: UAT-8837 targets critical infrastructure sectors in North America
CISA KEV Catalog: CVE-2025-53690
Google Mandiant Analysis: ViewState Deserialization Zero-Day Vulnerability in Sitecore Products
Western OT Security Guidance: Secure Connectivity Principles for Operational Technology
Indicators of Compromise: Cisco Talos GitHub Repository

Detection Rules

Organizations can leverage the following detection mechanisms:

ClamAV Signature: Win.Malware.Earthworm

Snort Rules:

Snort 2: 61883, 61884, 63727, 63728
Snort 3: 300585, 63727, 63728

Key IOCs (Hash Values)

GoTokenTheft:

1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa
891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795

Earthworm:

451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd
B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b
Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6
4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883

Infrastructure:

74[.]176[.]166[.]174
20[.]200[.]129[.]75
172[.]188[.]162[.]183
4[.]144[.]1[.]47
103[.]235[.]46[.]102

For complete IOC list and additional threat intelligence, consult the Cisco Talos GitHub repository.