Since at least last year, critical infrastructure sectors in North America have been the target of a threat actor that is probably affiliated with China This article explores ttps uat 8837. . Based on tactical similarities with other campaigns carried out by threat actors from the region, Cisco Talos, which is monitoring the activity under the name UAT-8837, determined that it is a China-nexus advanced persistent threat (APT) actor with medium confidence. The threat actor is "primarily tasked with obtaining initial access to high-value organizations," according to the cybersecurity firm, based on post-compromise activity and tactics, techniques, and procedures (TTPs).

"UAT-8837 primarily uses open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims after obtaining initial access — either by successfully exploiting vulnerable servers or by using compromised credentials," it continued. According to reports, UAT-8837 most recently gained initial access by exploiting a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0). The intrusion shared TTP, tooling, and infrastructure similarities with a campaign described in September 2025 by Google-owned Mandiant.

Although it's unclear if these two clusters were created by the same person, it implies that UAT-8837 might have access to zero-day exploits for cyberattacks.

The adversary disables RestrictedAdmin for Remote Desktop Protocol (RDP), a security feature that makes sure credentials and other user resources aren't exposed to compromised remote hosts, after conducting initial reconnaissance in target networks. Additionally, UAT-8837 is reported to download multiple artifacts to facilitate post-exploitation and launch "cmd.exe" to perform manual keyboard operations on the compromised host.

Among the noteworthy tools are GoTokenTheft, which is used to steal access tokens. EarthWorm, to use SOCKS DWAgent to establish a reverse tunnel to attacker-controlled servers, to enable persistent remote access and Active Directory reconnaissance SharpHound, to gather Active Directory data Impacket, to execute commands with elevated privileges Researchers Asheer Malhotra, Vitor Ventura, and Brandon White stated that "UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations." GoExec is a Golang-based tool to execute commands on other connected remote endpoints within the victim's network.

Rubeus is a C#-based toolset for Kerberos interaction and abuse. Certipy is a tool for Active Directory discovery and abuse.

The revelation was made one week after Talos linked UAT-7290, another China-nexus threat actor, to espionage-focused intrusions against South Asian and Southeastern European entities using malware families like RushDrop, DriveSwitch, and SilentRaid. Western governments have issued multiple alerts in recent years due to worries about Chinese threat actors targeting vital infrastructure. Cybersecurity and intelligence organizations from Australia, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States issued a warning earlier this week regarding the increasing risks to operational technology (OT) environments.

Organizations are urged to limit exposure, centralize and standardize network connections, use secure protocols, harden OT boundaries, make sure all connectivity is monitored and logged, and refrain from using outdated assets that could increase the risk of security incidents. The guidance provides a framework for designing, securing, and managing connectivity in OT systems. According to the agencies, "both opportunistic and highly capable actors are known to target exposed and insecure OT connectivity."

Critical national infrastructure (CNI) networks are being actively targeted by state-sponsored actors in this activity. Recent events demonstrate how hacktivists opportunistically target exposed OT infrastructure, demonstrating that the threat is not just restricted to state-sponsored actors."