MalwareUsed by 1 actor

GoTokenTheft

GoTokenTheft is a Go-based utility used to steal Windows access tokens and potentially run commands with elevated privileges. Cisco Talos observed it in post-compromise activity by UAT-8837, a threat actor Talos assesses with medium confidence to be China-nexus, targeting critical infrastructure organizations in North America since at least 2025. In these intrusions, UAT-8837 gained initial access via exploitation of vulnerable servers or use of compromised credentials, including activity associated with Sitecore CVE-2025-53690, then conducted hands-on-keyboard reconnaissance, disabled RDP RestrictedAdmin, and deployed GoTokenTheft alongside tools such as Rubeus, Certipy, SharpHound, Impacket, GoExec, Earthworm, and DWAgent to harvest credentials, abuse Kerberos, enumerate Active Directory, execute remote commands, and maintain access. One cited description states the utility was written in GoLang and deployed as C:\Users<user>\Desktop\go.exe. The content does not provide standalone hashes for GoTokenTheft, but it explicitly identifies token theft and privilege escalation-related use in UAT-8837 operations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAT-8837

Some of the notable tools include - GoTokenTheft, to steal access tokens

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1134Access Token ManipulationEvidence1

TacticsPrivilege Escalation Stealth

GoTokenTheft, to steal access tokens

Stealth

1 technique

T1134Access Token ManipulationEvidence1

TacticsPrivilege Escalation Stealth

GoTokenTheft, to steal access tokens

Credential Access

1 technique

T1649Steal or Forge Authentication CertificatesEvidence1

TacticCredential Access

Some of the notable tools include - GoTokenTheft, to steal access tokens

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

bleeping computerNews

Jan 16, 2026

China-linked hackers exploited Sitecore zero-day for initial access

A tool used to steal access tokens in Windows/AD environments as part of credential access operations.

the hacker newsNews

Jan 16, 2026

China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion

A tool used to steal access tokens from compromised environments.

talos intelligence blogNews

Jan 15, 2026

UAT-8837 targets critical infrastructure sectors in North America

Go-based utility used to steal access tokens to enable elevated/impersonated command execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.