UAT-8837

UAT-8837 is a threat actor tracked by Cisco Talos and assessed with medium confidence to be a China-nexus advanced persistent threat (APT) actor. Since at least 2025, the group has targeted critical infrastructure organizations in North America, including the U.S. and Canada, and appears primarily focused on obtaining initial access to high-value organizations. Reported initial access methods include exploitation of vulnerable public-facing servers and use of compromised credentials. Talos linked the actor’s activity, tooling, and infrastructure to exploitation of the Sitecore vulnerability CVE-2025-53690, described in the reporting as a ViewState deserialization zero-day that enabled pre-authentication remote code execution. The reporting states this suggests the actor may have access to zero-day exploits. Post-compromise, UAT-8837 conducts reconnaissance, credential harvesting, and Active Directory/domain discovery, and establishes multiple channels of access. Reported behavior includes disabling RestrictedAdmin for RDP, hands-on-keyboard activity via cmd.exe, creating or modifying accounts for persistence, and exfiltrating sensitive data. In at least one case, the actor exfiltrated DLL-based shared libraries related to a victim’s products, which Talos assessed could create future trojanization or supply-chain compromise risk. The group is reported to rely heavily on open-source, dual-use, and living-off-the-land tooling, and to rotate tool variants to evade detection. Tools explicitly mentioned in the content include Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, Certipy, GoTokenTheft, Invoke-WMIExec, SharpWMI, and 7-Zip. Separate reporting tied exploitation of CVE-2025-53690 to deployment of the WeepSteel backdoor for long-term espionage and data exfiltration, with unauthorized administrative accounts such as asp$ and sawadmin also observed. No aliases beyond UAT-8837 are directly supported in the provided content.