A China-linked threat actor identified as UAT-8837 has been targeting North American critical infrastructure since early 2025. Cisco Talos reports that this group utilizes a sophisticated mix of zero-day exploits and open-source tools to map internal environments and maintain persistent access.
Cisco Talos has identified a cyber threat group designated as UAT-8837, which they assess with medium confidence to be a China-nexus advanced persistent threat actor. This assessment is based on significant overlaps in tactics, techniques, and procedures with other known Chinese hacking clusters. Since at least 2025, the group has demonstrated a focused and strategic interest in North American critical infrastructure sectors. This targeting suggests a deliberate attempt to infiltrate systems that are essential to regional stability and services.
The group gains initial entry into networks through a variety of methods, including the exploitation of stolen credentials and known vulnerabilities. Notably, researchers found evidence that UAT-8837 may have access to zero-day exploits, specifically citing the recent exploitation of a ViewState Deserialization vulnerability in SiteCore products. Once inside a network, the actors engage in hands-on-keyboard operations to weaken local security defenses. They frequently disable specific administrative settings, such as RestrictedAdmin for Remote Desktop Protocol, to expose credentials on compromised hosts and facilitate further movement.
To expand their reach, the attackers deploy a diverse toolkit consisting of several public and specialized utilities. Tools like EarthWorm are used to create reverse tunnels that bypass network perimeters, while DWAgent provides persistent interactive access for remote administration. The group also relies heavily on Active Directory reconnaissance tools such as SharpHound and Certipy to identify misconfigurations in certificate services and map potential attack paths. This phase of the operation is designed to identify the most efficient routes for privilege escalation and lateral movement across the internal environment.
Further exploitation involves the use of GoTokenTheft to hijack user tokens and Impacket for remote command execution. The threat actor also leverages Rubeus for Kerberos-based attacks and GoExec to run commands on multiple endpoints simultaneously. By combining these tools, UAT-8837 can effectively harvest credentials and exploit domain-level vulnerabilities without needing cleartext passwords. These actions demonstrate a high level of proficiency in navigating complex Windows environments and maintaining a stealthy presence while gathering data.
The final stages of the observed attacks involve the theft of sensitive data and the exfiltration of product-related files, such as specific DLLs. Security researchers warn that the theft of these files creates a significant risk for reverse engineering and future supply-chain compromises. By analyzing and potentially trojanizing these components, the group could launch more widespread attacks in the future. The ongoing activity of UAT-8837 underscores a persistent and evolving threat to the security of critical infrastructure in North America.
Source: China Linked APT UAT 8837 Targets North American Critical Infrastructure