Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

SharpWMI

SharpWMI is a WMI-based post-compromise utility used for remote execution, reconnaissance, lateral movement, and proliferation on Windows systems via WMI and DCOM. The content states it can execute WMI queries on remote hosts and enable arbitrary command or code execution. Cisco Talos observed SharpWMI used by multiple China-linked intrusion clusters, including UAT-7237 and UAT-8837. In UAT-7237 intrusions targeting web infrastructure entities and a web hosting provider in Taiwan, SharpWMI was used alongside WMICmd during reconnaissance and remote execution after initial access via exploitation of known vulnerabilities on internet-exposed servers. In UAT-8837 activity targeting critical infrastructure in North America since at least 2025, SharpWMI was part of a rotating set of open-source and living-off-the-land remote-execution tools used when other tooling was blocked; Talos specifically noted the actor attempted to download and execute SharpWMI but it was detected by Cisco Secure Endpoint. Mentioned related infrastructure and activity include attacker-hosted tooling downloads from 141[.]164[.]50[.]141 and associated URLs under http[://]141[.]164[.]50[.]141/sdksdk608/, though the content does not attribute those IOCs exclusively to SharpWMI.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAT-7237

...used ... WMI-based utilities, such as SharpWMI and WMICmd.

via security weeksecurityweek.com
UAT-8837

Impacket, Invoke-WMIExec, GoExec, SharpWMI – Execute commands on remote systems via WMI and DCOM; the actor cycles through the tools when detection blocks execution

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1047Windows Management InstrumentationEvidence2

They also use built-in Windows tools like SharpWMI and WMICmd to run commands, gather system info, and prepare for further attacks.

T1059Command and Scripting InterpreterEvidence1

They also use built-in Windows tools like SharpWMI and WMICmd to run commands, gather system info, and prepare for further attacks.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
bleeping computerNews
Jan 16, 2026
China-linked hackers exploited Sitecore zero-day for initial access

A WMI-based remote execution tool used to run commands on remote Windows hosts.

Read more
talos intelligence blogNews
Jan 15, 2026
UAT-8837 targets critical infrastructure sectors in North America

C#/.NET WMI-focused post-exploitation tool used for remote command execution and lateral movement via WMI.

Read more
talos intelligence blogNews
Aug 15, 2025
UAT-7237 targets Taiwanese web hosting infrastructure

Tool used to run WMI queries and execute commands remotely for reconnaissance and lateral movement/proliferation.

Read more
security weekNews
Mar 18, 2026
Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets

WMI-based utility used for reconnaissance and lateral movement via Windows Management Instrumentation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.