China-linked APT UAT-8837 targets North American critical infrastructure

Cisco Talos says a China-linked group, tracked as UAT-8837, has targeted North American critical infrastructure since last year.

Cisco Talos reports that threat group UAT-8837, likely linked to China, has targeted critical infrastructure in North America since at least last year. The activity shows tactics overlapping with known China-linked clusters.

“Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors.” reads the report published by Talos

“Although UAT-8837’s targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.”

After gaining access via exploits or stolen credentials, UAT-8837 uses open-source tools to steal credentials and map AD environments, maintain access, and conduct hands-on attacks. The expert found evidence of zero-day exploit use.

“The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access to zero-day exploits.” continues the report.

After gaining initial access, UAT-8837 performs reconnaissance and weakens defenses by disabling RestrictedAdmin for RDP, exposing credentials on compromised hosts. The group then launches hands-on keyboard activity via cmd.exe and downloads multiple post-exploitation tools to expand access, maintain persistence, and further compromise the environment. Below a list of tools employed by the threat actor:

1. GoTokenTheft – Public Go‑based token‑stealing utility used to hijack access tokens of other users or processes and execute commands in their security context, effectively enabling privilege escalation and lateral movement without needing cleartext credentials.​
2. EarthWorm – Lightweight SOCKS‑based tunneling tool widely seen in China‑nexus operations; it builds reverse tunnels from compromised hosts to attacker‑controlled servers, exposing internal services and creating resilient C2 channels that bypass perimeter controls.​
3. DWAgent – Component of the DWService remote‑administration platform, repurposed by UAT‑8837 to maintain persistent interactive access to infected systems and to stage or deploy additional payloads during hands‑on‑keyboard operations, including AD reconnaissance tools.​
4. SharpHound – Module of the BloodHound ecosystem used to automatically enumerate Active Directory objects (users, groups, computers, sessions, ACLs) and relationships, producing data that can be graphed to identify attack paths, privilege‑escalation opportunities and lateral‑movement routes.​
5. Impacket – Widely used Python collection of network‑protocol libraries and example scripts (e.g., wmiexec, psexec, secretsdump) that allow authenticated attackers to execute commands remotely, dump credentials and move laterally using Windows protocols such as SMB, WMI and RPC.​
6. GoExec – Golang‑based remote‑execution tool leveraged by UAT‑8837 when other binaries were detected; it lets operators run arbitrary commands on multiple other endpoints reachable from a compromised host, extending lateral movement across the victim’s network.​
7. Rubeus – C# toolset focused on Kerberos operations and abuse (e.g., ticket extraction, pass‑the‑ticket, AS‑REP roasting, S4U abuse). UAT‑8837 uses it to harvest Kerberos tickets and exploit misconfigurations to escalate privileges inside Active Directory domains.​
8. Certipy – Offensive security tool for AD Certificate Services; it discovers certificate templates and PKI misconfigurations, then abuses them for authentication and privilege escalation (e.g., ESC1–ESC8). The actor employs Certipy alongside SharpHound and native tools like setspn, dsquery and dsget to map and exploit AD.​

Researchers say UAT-8837 runs commands to steal credentials and sensitive data and has exfiltrated product-related DLLs, raising risks of trojanization, reverse engineering, and future supply-chain attacks.

Talos published Snort Rules (SIDs) to detect and block this threat and Indicators of compromise (IOCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)