Cisco Talos Reports China-Nexus UAT-8837 Breaching North American Critical Infrastructure
Cisco Talos reported multiple intrusions against high-value North American critical infrastructure organizations attributed to UAT-8837, assessed with medium confidence as a China-nexus APT focused on obtaining initial access. Talos said the actor gained entry via compromised credentials and exploitation of vulnerable servers, then conducted hands-on-keyboard activity to harvest credentials and environment data (including security configurations and Active Directory information) to establish redundant access paths. Observed post-compromise tooling included Earthworm (used to create reverse tunnels and expose internal endpoints), SharpHound, DWAgent, and Certipy, alongside common discovery commands (e.g., tasklist /svc, netstat -aon -p TCP, whoami).
Talos linked UAT-8837 activity to exploitation of CVE-2025-53690, described as a ViewState deserialization zero-day affecting Sitecore products, noting that the overlap in tooling/infrastructure with other observed exploitation suggests the actor may have access to zero-day exploits. Reporting also highlighted that the vulnerability had previously been emphasized by U.S. federal cybersecurity authorities with a mandated patch timeline for federal civilian agencies, and that prior third-party analysis of incidents involving the same bug described similar post-exploitation tooling—reinforcing the assessment that this vulnerability has been operationalized in real intrusions against critical infrastructure targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Talos releases IOCs and detection rules for UAT-8837 activity
Alongside its January 2026 report, Cisco Talos published indicators of compromise including file hashes and command-and-control IP addresses, as well as ClamAV and Snort detection coverage. The release provided defenders with technical details to identify and respond to UAT-8837 intrusions.
Talos publishes UAT-8837 report and attributes activity to China nexus
On January 15, 2026, Cisco Talos published research on UAT-8837, assessing with medium confidence that the actor is China-nexus based on overlaps in tactics, techniques, and procedures with other China-linked groups. The report detailed the actor's use of hands-on-keyboard reconnaissance, credential theft, tunneling, account manipulation, and tooling such as Earthworm, SharpHound, Certipy, Impacket, and Rubeus.
Google analyzes related Sitecore incident with tooling overlap
Google previously analyzed an incident involving CVE-2025-53690 and identified post-exploitation tooling overlaps later echoed in Talos' UAT-8837 findings. The overlap contributed to Talos' assessment that the actor may have access to zero-day exploits.
Federal agencies ordered to patch Sitecore flaw by September 25
U.S. federal cybersecurity officials highlighted CVE-2025-53690 in the fall of 2025 and required federal civilian agencies to remediate it by September 25. This official response underscored the severity of the Sitecore zero-day being used in intrusions.
Sitecore zero-day CVE-2025-53690 is actively exploited
By September 2025, CVE-2025-53690, a Sitecore ViewState deserialization zero-day, was reported as being actively exploited in the wild. Talos later linked several UAT-8837 intrusions to exploitation of this vulnerability, suggesting the actor may have had access to zero-day exploits.
UAT-8837 begins targeting North American critical infrastructure
Cisco Talos assessed that since at least 2025, the cluster tracked as UAT-8837 has focused on gaining initial access to high-value organizations in North American critical infrastructure sectors. The actor used compromised credentials and exploitation of vulnerable internet-facing servers to breach multiple organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
China-linked hackers exploited Sitecore zero-day for initial access
bleepingcomputer.com
Open sourceChinese hackers targeting ‘high value’ North American critical infrastructure, Cisco says | The Record from Recorded Future News
therecord.media
Open sourceUAT-8837 targets critical infrastructure sectors in North America
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked UAT-7290 Breaches Telecom Networks Using Linux Malware and ORB Nodes
Cisco Talos disclosed that **UAT-7290**, a threat actor active since at least 2022 and assessed with high confidence as part of the **China-nexus APT ecosystem**, has conducted sustained intrusions against high-value **telecommunications and critical infrastructure** organizations in **South Asia**, with more recent activity extending into **Southeastern Europe**. The group reportedly performs extensive pre-attack reconnaissance, then compromises public-facing edge devices through **one-day exploits**, proof-of-concept exploit adaptation, and **target-specific SSH brute force**, seeking deep and persistent access inside strategically important telecom environments. Researchers said the actor relies heavily on a **Linux-focused malware** toolkit that includes **RushDrop**, **DriveSwitch**, **SilentRaid**, and **Bulbature**, alongside overlaps with **RedLeaves** and **ShadowPad** and activity previously associated with **Red Foxtrot/APT10**. Talos assessed that UAT-7290 appears to serve a dual role: carrying out espionage while also acting as an **initial access provider** that converts compromised devices into **Operational Relay Box (ORB)** nodes for possible use by other China-linked operators. SilentRaid supports modular capabilities such as remote shell access, file management, and port forwarding, while Bulbature was tied to ORB infrastructure through a self-signed certificate observed on at least **141 hosts** in **China or Hong Kong**, reinforcing the attribution assessment.
Mar 26, 2026
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026
China-Nexus UAT-9244 Targets South American Telecoms with TernDoor, PeerTime, and BruteEntry
Cisco Talos reported that **UAT-9244**, assessed with high confidence as a **China-nexus APT** closely associated with **FamousSparrow**, has targeted **critical telecommunications providers in South America** since 2024. The activity spans **Windows and Linux endpoints** as well as **network edge devices**, and introduces three previously undocumented implants: **TernDoor** (Windows), **PeerTime** (Linux/ELF), and **BruteEntry** (edge-device brute-force/scanning tooling). Public reporting noted tactical overlap between FamousSparrow and **Salt Typhoon**-linked telecom targeting, but stated there is **no conclusive evidence** directly tying UAT-9244 to Salt Typhoon. Talos detailed that **TernDoor** is a variant of **CrowDoor** (itself related to **SparrowDoor**) and is deployed via **DLL side-loading** using the legitimate `wsprint.exe` to load a malicious loader DLL `BugSplatRc64.dll`, which reads `WSPrint.dll`, decrypts it, and executes the final payload **in memory**. **PeerTime** is an ELF backdoor that leverages the **BitTorrent protocol** for malicious operations on infected Linux systems. **BruteEntry** is typically installed on edge devices to convert them into **Operational Relay Boxes (ORBs)** used for mass scanning and brute forcing services including **SSH**, **Postgres**, and **Tomcat**; additional reporting also noted prior UAT-9244 targeting of **outdated Windows Server and Microsoft Exchange** to deploy web shells as a foothold for follow-on activity.
Mar 21, 2026