Since early 2025, Cisco Talos specialists have detected the activity of the UAT-8837 group, which they attribute to China based on techniques and infrastructure similar to other well-known operators in the region.
The attacks targeted organizations in critical sectors in North America. According to analysts, UAT-8837’s primary goal is to gain initial access to high-value systems. Once infiltrated, the group establishes multiple channels for further control of the infrastructure.
Initial access is gained by exploiting both software vulnerabilities and stolen credentials. The latest attack exploited the CVE-2025-53690 zero-day vulnerability in SiteCore products. After penetration, the attackers begin collecting system and user information, disable security mechanisms, and execute commands via the console. They use temporary and public operating system directories to store their tools.
UAT-8837 uses a wide array of tools, frequently switching versions to circumvent security. Among the programs used are GoTokenTheft , designed to steal access tokens; Earthworm , which creates tunnels between internal systems and external servers; DWAgent , which performs remote administration; and SharpHound , which collects Active Directory data.
The use of Impacket, GoExec, and Rubeus, tools that allow users to execute commands on behalf of other users and interact with Kerberos, has also been documented . Some tools, such as Earthworm, are often associated with other Chinese-speaking groups.
Traces of domain analysis and security policy utilities, such as dsquery, dsget, secedit, setspn, and others, were found on the compromised devices. The use of integrated system tools allowed the group to operate undetected . Additionally, they installed programs that provided access to systems by bypassing the core infrastructure.
A case where the group copied dynamic libraries associated with the victim’s products deserves particular attention. This could indicate plans to inject malicious code into updates or use these components for subsequent vulnerability analysis. Such actions pose the risk of compromising the supply chain.
In addition to using utilities and commands, UAT-8837 creates new accounts and joins groups with extended privileges, granting access even if the primary channel is blocked. Attackers also test different versions of the tools to select those that are undetectable by security systems.
To detect and block activity from this group, Cisco recommends using the ClamAV signature named Win.Malware.Earthworm, as well as Snort rules 61883, 61884, 63727, 63728, and 300585. Although the group is constantly adapting its methods, using these rules can improve protection.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
