Ddos 
A sophisticated threat actor, tentatively linked to China, is aggressively targeting critical infrastructure in North America with an arsenal of open-source tools and potential zero-day exploits. In a new report, Cisco Talos details its tracking of UAT-8837, a group assessed with “medium confidence” to be a China-nexus Advanced Persistent Threat (APT) actor .
While the group’s targeting may seem “sporadic,” the long-term pattern is clear: since at least 2025, UAT-8837 has maintained a “focus on targets within critical Infrastructure sectors in North America”.
The group is not relying solely on old tricks. The report highlights that UAT-8837 has demonstrated the ability to exploit cutting-edge vulnerabilities.
“The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products,” the researchers note. This connection suggests that the group “may have access to zero-day exploits,” significantly elevating the threat level for defenders.
Once inside a network—whether through a zero-day exploit or compromised credentials—the group pivots to a strategy of “living off the land” (LOTL) mixed with open-source utilities. This approach helps them blend in with normal traffic and evade detection.
The toolkit is extensive and adaptable. “UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information”.
Key tools identified in their arsenal include:
- Earthworm: A network tunneling tool used to “expose internal endpoints to attacker-owned remote infrastructure”.
- GoToken Theft: A custom GoLang utility designed for “stealing access tokens” to run commands with elevated privileges.
- SharpHound & Certipy: Used for deep reconnaissance of Active Directory environments.
The group also frequently cycles through different versions of these tools to bypass security products. For example, the use of GoExec, a remote execution tool, was described as “likely an on-the-fly decision by the operator, necessitated by the constant detection and blocking of the threat actors tooling by CSE”.
Perhaps most concerning is the potential for future attacks. In one intrusion, the group didn’t just steal data—they stole the building blocks of the victim’s software.
“UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products,” the report warns. This theft raises the specter that these libraries “may be trojanized in the future,” creating “opportunities for supply chain compromises” that could impact downstream customers.
The group is persistent in securing its foothold. They have been observed creating backdoored user accounts and disabling security features like “RestrictedAdmin” for RDP to facilitate lateral movement.
Related Posts:
- CVE-2025-53690: Mandiant and Sitecore Warn of Active Exploitation in ASP.NET Machine Key Configurations
- Americans have lost more than $2.7 billion to social media scams since 2021
- Security flaws in critical infrastructure software could have meant disaster
- China Targets U.S. Tech Startups through Investments, NCSC Reveals
- BlackCat Ransomware and Beyond: Deciphering Scattered Spider’s Latest TTPs
Donate