**China-linked APT UAT-8837 Targets North American Critical Infrastructure**

Cisco Talos has identified a China-linked group, tracked as UAT-8837, that has been targeting critical infrastructure in North America since at least last year. The threat actor, likely linked to China, uses tactics and techniques similar to those employed by other known China-linked clusters.

According to the report published by Talos, "Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors."

The group has been targeting critical infrastructure sectors in North America since at least 2025, using exploits or stolen credentials to gain initial access. Once inside, UAT-8837 employs open-source tools to steal credentials, map AD environments, maintain access, and conduct hands-on attacks.

The expert found evidence of zero-day exploit use, indicating that the threat actor may have access to high-level vulnerabilities. The group uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy.

The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products. This suggests that UAT-8837 may have access to zero-day exploits.

After gaining initial access, UAT-8837 performs reconnaissance and weakens defenses by disabling RestrictedAdmin for RDP, exposing credentials on compromised hosts. The group then launches hands-on keyboard activity via cmd.exe and downloads multiple post-exploitation tools to expand access, maintain persistence, and further compromise the environment.

Tools Employed by UAT-8837

  • Earthworm
  • Sharphound
  • DWAgent
  • Certipy
  • Cmd.exe

The group uses these tools to steal credentials and sensitive data, and has exfiltrated product-related DLLs, raising risks of trojanization, reverse engineering, and future supply-chain attacks.

Response from Cisco Talos

Cisco Talos published Snort Rules (SIDs) to detect and block this threat and Indicators of compromise (IOCs) to help organizations identify potential compromises. The report serves as a warning for critical infrastructure sectors in North America to be vigilant against UAT-8837's activities.

Stay Informed

Follow me on Twitter: @securityaffairs

Facebook and Mastodon