An advanced China-linked threat actor, UAT-8837, has been targeting North American critical infrastructure by exploiting vulnerabilities, including a recent zero-day in Sitecore. Researchers link this activity to broader Chinese espionage efforts, with tools aimed at credential theft and network reconnaissance. #UAT-8837 #SitecoreCVE2025-53690
Keypoints
- UAT-8837 is a China-linked threat actor active since at least 2025, targeting critical infrastructure.
- The group exploits known vulnerabilities and zero-day flaws like CVE-2025-53690 in Sitecore products.
- Attackers use open-source and living-off-the-land tools such as Rubeus, Certipy, and Impacket.
- Post-exploitation activities include credential harvesting, network reconnaissance, and disabling security measures.
- Indicators of compromise include specific command executions, tools, and DLL exfiltration, suggesting ongoing reconnaissance and data theft efforts.