China-Linked UAT-8837 Exploits Sitecore Zero-Day in US Attacks

Cisco Talos has disclosed a China-nexus threat actor called UAT-8837 that has been targeting critical infrastructure organizations in North America since at least 2025. The group exploits both known vulnerabilities and zero-days to gain initial access, then deploys open-source tools for credential harvesting and lateral movement.

The disclosure comes just over a week after Talos revealed UAT-7290, a separate China-linked group targeting telecommunications providers in South Asia. UAT-8837 operates differently—focusing on North American critical infrastructure and demonstrating access to zero-day exploits.

What Is UAT-8837?

Talos assesses with medium confidence that UAT-8837 is a China-nexus APT primarily tasked with obtaining initial access to high-value organizations. The group's targeting clearly focuses on critical infrastructure sectors, though Talos didn't specify which industries have been compromised.

What makes UAT-8837 notable is their apparent access to zero-day vulnerabilities. Talos observed the group exploiting CVE-2025-53690, a critical ViewState deserialization flaw in Sitecore products (CVSS 9.0), during the period before Sitecore issued a patch in September 2025.

"The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690," Talos noted, "indicating that UAT-8837 may have access to zero-day exploits."

How They Operate

UAT-8837 gains initial access through two primary methods: exploiting vulnerable internet-facing servers or using compromised credentials. Once inside a network, the group shifts to hands-on-keyboard activity, disabling RestrictedAdmin mode for RDP and opening command shells for interactive access.

The post-compromise phase focuses heavily on credential harvesting. UAT-8837 deploys a combination of open-source and living-off-the-land tools:

• GoTokenTheft for stealing access tokens
• Earthworm for SOCKS reverse tunneling
• SharpHound for Active Directory enumeration
• Impacket for executing privileged commands
• Rubeus for Kerberos abuse
• Certipy for collecting AD credentials and certificate data
• DWAgent for remote access

The group continually cycles through tool variants to evade detection. They also use GoExec to execute commands across multiple endpoints simultaneously, suggesting operations designed to move quickly through compromised networks.

Supply Chain Risk

Talos flagged a concerning discovery from one victim organization: UAT-8837 exfiltrated DLL-based shared libraries related to the victim's products. This raises the possibility that attackers could trojanize these libraries for supply chain attacks or reverse-engineer them to find exploitable vulnerabilities.

Supply chain compromise has become a recurring theme in Chinese cyber operations. Groups like Mustang Panda have demonstrated sophisticated capabilities in this area, and UAT-8837's collection of product libraries suggests similar interests.

Connection to Broader Chinese Operations

UAT-8837 isn't operating in isolation. Talos noted overlaps in tactics, techniques, and procedures with other known China-nexus threat actors. The Chinese cyber ecosystem increasingly shows signs of specialization—different groups focus on initial access, credential harvesting, or persistence, potentially sharing access to compromised networks.

This mirrors the division of labor seen in cybercrime ecosystems, where initial access brokers sell network footholds to ransomware operators. In the state-sponsored context, groups like UAT-8837 may build infrastructure and access that other Chinese intelligence operations can leverage.

Why This Matters

Chinese APTs targeting North American critical infrastructure isn't new. But the disclosure of UAT-8837—combined with the recent UAT-7290 research and ongoing campaigns by groups like Silk Typhoon—indicates sustained pressure on Western organizations from Beijing-aligned threat actors.

The group's access to zero-day exploits is particularly concerning. Organizations that rely on timely patching as their primary defense won't catch attacks that exploit unknown vulnerabilities. Defense-in-depth strategies that assume breach—focusing on detection, segmentation, and response—become essential.

For deeper context on Chinese cyber operations and their evolution, our recommended reading on nation-state threats covers the strategic objectives driving these campaigns.

Recommendations

Organizations in critical infrastructure sectors should:

1. Review Talos indicators of compromise and hunting queries in their SIEM
2. Monitor for suspicious use of tools like SharpHound, Rubeus, and Certipy
3. Audit RDP configurations for unexpected RestrictedAdmin changes
4. Implement network segmentation to limit lateral movement
5. Establish baseline behavior for privileged accounts to detect anomalies

Talos credited researchers Asheer Malhotra, Vitor Ventura, and Brandon White for this disclosure.