China-Nexus Threat Actor UAT-8837 Targets Critical Infrastructure in North America
Cisco Talos reports that UAT-8837, an advanced persistent threat (APT) actor linked to China, is actively targeting high-value organizations in North America’s critical infrastructure. Using a mix of exploited vulnerabilities and compromised credentials, UAT-8837 has gained access to sensitive environments since at least 2025.
The group’s methods include exploiting both zero-day and n-day vulnerabilities, such as the recently disclosed CVE-2025-53690 in SiteCore products. Following initial access, UAT-8837 employs a variety of open-source tools, including Earthworm, DWAgent, and SharpHound, to harvest credentials, security information, and Active Directory data. The actor then engages in reconnaissance and establishes multiple channels for persistent access. Commands are executed to disable security features like RestrictedAdmin for Remote Desktop Protocol (RDP), setting up the groundwork for further exploitation.
UAT-8837’s approach shows adaptability, as the actor is observed cycling through different tools to evade detection by security products. This includes the GoTokenTheft utility for stealing tokens and Earthworm for network tunneling. The tools’ varied usage suggests an effort to maintain persistent access and data exfiltration capabilities. Notably, UAT-8837 has been linked to broader supply chain risks, as evidenced by their exfiltration of shared libraries from victim organizations, which could lead to future trojanization.
The threat posed by UAT-8837 highlights the growing cyber risks to critical infrastructure sectors, necessitating increased vigilance and improved defense strategies. Defenders need to focus on continuous monitoring of their networks, especially for signs of reconnaissance and credential harvesting activities, while also employing robust tools for vulnerability management.
Indicators of Compromise (IOCs) include:
- Malware Hashes:
- GoTokenTheft: 1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa
- Earthworm: 451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd
- SharpHound: 5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796
- IP Addresses:
- 172[.]188[.]162[.]183
- 74[.]176[.]166[.]174
- 20[.]200[.]129[.]75
