UAT-8837 Targets Critical Infrastructure Sectors in North America
Summary:
Cisco Talos has identified a sophisticated China-nexus advanced persistent threat (APT) group, designated as UAT-8837, which has been actively targeting critical infrastructure sectors in North America since at least 2025.
The actor demonstrates a high level of technical proficiency, leveraging both n-day and zero-day vulnerabilities, most notably a ViewState Deserialization flaw in SiteCore products (CVE-2025-53690), to gain initial access. Once inside a network, UAT-8837 focuses on deep reconnaissance and the establishment of persistent access. Their operations are characterized by a "hands-on-keyboard" approach, where they move beyond automated scripts to manually harvest sensitive credentials, Active Directory (AD) information, and security configurations using a wide array of open-source and custom tools.
The group’s toolkit is diverse and highly adaptable, specifically designed to bypass modern Endpoint Detection and Response (EDR) solutions. Key utilities include Earthworm for network tunneling, DWAgent for remote administration, and specialized Go-based tools like GoTokenTheft and GoExec for credential harvesting and remote execution. To evade detection, the actor frequently cycles through different versions of these tools and hides malicious binaries within common directories (e.g., C:\windows\public\music) using misleading file extensions like .ico. Furthermore, they actively manipulate system settings, such as disabling RDP RestrictedAdmin mode, to facilitate lateral movement and credential theft.
Security Officer Comments:
The primary impact of UAT-8837 lies in its ability to compromise the core identity and security architecture of an organization. By prioritizing the theft of Active Directory data and Kerberos tickets (via tools like SharpHound and Rubeus), the actor gains the capability to move laterally with administrative privileges, making containment extremely difficult.
Beyond immediate data theft, UAT-8837 presents a severe long-term strategic risk through its interest in proprietary software. The group has been observed exfiltrating DLL-based shared libraries related to victim products, suggesting an intent to conduct reverse engineering for future vulnerability discovery or to facilitate supply chain compromises. This indicates that the group’s objectives extend beyond simple espionage to potential disruptive actions or the preparation of "trojanized" updates.
Suggested Corrections:
Defenders should focus on monitoring for unauthorized use of administrative tools (Certipy, Impacket), unusual outbound tunneling traffic to known malicious IPs, and any unauthorized modifications to local or domain security policies.
Identity & Active Directory Hardening
https://blog.talosintelligence.com/uat-8837/
Cisco Talos has identified a sophisticated China-nexus advanced persistent threat (APT) group, designated as UAT-8837, which has been actively targeting critical infrastructure sectors in North America since at least 2025.
The actor demonstrates a high level of technical proficiency, leveraging both n-day and zero-day vulnerabilities, most notably a ViewState Deserialization flaw in SiteCore products (CVE-2025-53690), to gain initial access. Once inside a network, UAT-8837 focuses on deep reconnaissance and the establishment of persistent access. Their operations are characterized by a "hands-on-keyboard" approach, where they move beyond automated scripts to manually harvest sensitive credentials, Active Directory (AD) information, and security configurations using a wide array of open-source and custom tools.
The group’s toolkit is diverse and highly adaptable, specifically designed to bypass modern Endpoint Detection and Response (EDR) solutions. Key utilities include Earthworm for network tunneling, DWAgent for remote administration, and specialized Go-based tools like GoTokenTheft and GoExec for credential harvesting and remote execution. To evade detection, the actor frequently cycles through different versions of these tools and hides malicious binaries within common directories (e.g., C:\windows\public\music) using misleading file extensions like .ico. Furthermore, they actively manipulate system settings, such as disabling RDP RestrictedAdmin mode, to facilitate lateral movement and credential theft.
Security Officer Comments:
The primary impact of UAT-8837 lies in its ability to compromise the core identity and security architecture of an organization. By prioritizing the theft of Active Directory data and Kerberos tickets (via tools like SharpHound and Rubeus), the actor gains the capability to move laterally with administrative privileges, making containment extremely difficult.
Beyond immediate data theft, UAT-8837 presents a severe long-term strategic risk through its interest in proprietary software. The group has been observed exfiltrating DLL-based shared libraries related to victim products, suggesting an intent to conduct reverse engineering for future vulnerability discovery or to facilitate supply chain compromises. This indicates that the group’s objectives extend beyond simple espionage to potential disruptive actions or the preparation of "trojanized" updates.
Suggested Corrections:
Defenders should focus on monitoring for unauthorized use of administrative tools (Certipy, Impacket), unusual outbound tunneling traffic to known malicious IPs, and any unauthorized modifications to local or domain security policies.
Identity & Active Directory Hardening
- Audit RDP Registry Keys: Monitor for the unauthorized modification of HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin. UAT-8837 specifically sets this to 0 to enable credential harvesting during RDP sessions. Use Group Policy (GPO) to enforce your desired state and alert on any drifts.
- Monitor AD Discovery Tools: Implement specific alerts for the execution of SharpHound, Certipy, dsquery, and dsget. These are often "noisy" and can be detected by monitoring for rapid, high-volume LDAP queries from unusual source hosts.
- Kerberos Protection: Since the actor uses Rubeus, implement Tiered Administration to ensure Domain Admin credentials never touch high-risk servers or workstations. Enable "Account is sensitive and cannot be delegated" for high-value accounts.
- Detect Tunneling & RATs: UAT-8837 relies heavily on Earthworm and DWAgent. Monitor for outbound traffic on non-standard ports (e.g., 8888, 11112) or common ports (443, 80) heading to unclassified or suspicious IP addresses. Look for long-duration, low-bandwidth connections that may indicate a persistent reverse tunnel.
- Egress Filtering: Restrict servers to only communicate with known-good update services and APIs. Block all outbound traffic from web servers to the internet unless strictly necessary for business operations.
- Watch Staging Directories: The actor frequently uses C:\\windows\\public\\music, C:\\windows\\temp\\, and C:\\Users\\Public\\Videos\\ for staging. Set up File Integrity Monitoring (FIM) or EDR alerts for any executable content ([.]exe, [.]ps1, or [.]ico files that are actually binaries) appearing in these paths.
- Rename-Based Evasion: Create detection rules for "masquerading" binaries, specifically files with an .ico extension that exhibit PE (Portable Executable) headers or attempt to execute via cmd[.]exe.
- PowerShell & Command Auditing: Enable Enhanced Script Block Logging (ID 4104) to catch the execution of Invoke-WMIExec.ps1 or other obfuscated scripts used when their primary toolset is blocked by antivirus.
- DLL/Binary Protection: Because the actor exfiltrates DLLs for potential "trojanization," implement strict Application Control (like AppLocker or Windows Defender Application Control) to ensure only signed, authorized binaries can execute in your environment.
- Credential Guard: Enable Windows Defender Credential Guard to protect LSASS and prevent tools like GoTokenTheft from extracting plaintext passwords or NTLM hashes from memory.
https://blog.talosintelligence.com/uat-8837/