UAT-8837 Targets Critical Infrastructure Sectors in North America (CVE-2025-53690)
Estimated reading time: 8 minutes
Key Takeaways:
- UAT-8837 is a China-nexus threat actor targeting high-value critical infrastructure for long-term espionage.
- The group leverages a critical zero-day, CVE-2025-53690, to bypass security in SiteCore products.
- Operations feature “Living-off-the-Land” (LOTL) techniques and open-source tools to evade detection.
- Aggressive Active Directory (AD) reconnaissance is used to map lateral movement paths and harvest credentials.
Table of Contents
- UAT-8837 Targets Critical Infrastructure Sectors in North America
- Post-compromise actions
- UAT-8837 tool usage
- Hands-on-keyboard activity
- Indicators of compromise (IOCs)
- Practical Takeaways for Organizations
- PurpleOps Expertise in Combatting Advanced Threats
- Frequently Asked Questions
Analysis of recent intrusion data indicates that a threat actor designated as UAT-8837 is actively targeting critical infrastructure sectors in North America. This actor is assessed with medium confidence to be a China-nexus advanced persistent threat (APT) group, based on observed overlaps in tactics, techniques, and procedures (TTPs) with established Chinese state-sponsored entities. The primary objective of UAT-8837 appears to be obtaining initial access to high-value targets, likely for long-term espionage or pre-positioning. Recent operations involving this actor have leveraged CVE-2025-53690, a critical ViewState Deserialization zero-day vulnerability in SiteCore products, to facilitate initial entry into protected environments.
UAT-8837 Targets Critical Infrastructure Sectors in North America
Since at least 2025, the operational focus of UAT-8837 has remained consistently on North American critical infrastructure. While targeting patterns occasionally appear sporadic, the group’s methodology reveals a systematic approach to identifying and exploiting vulnerabilities in edge-facing servers. The deployment of a zero-day exploit, specifically CVE-2025-53690, suggests that the group possesses the resources to acquire or develop sophisticated exploit code. Beyond zero-day capabilities, UAT-8837 also utilizes n-day vulnerabilities and compromised credentials to maintain a presence within victim networks.
Once access is established, the actor demonstrates a preference for open-source and living-off-the-land (LOTL) tools. This strategy serves a dual purpose: it complicates attribution and reduces the likelihood of detection by basic security measures. The group’s post-compromise activity is characterized by intensive reconnaissance of Active Directory (AD) environments and the harvesting of sensitive security configurations. This data is critical for lateral movement and the establishment of persistent access channels.
Post-compromise actions
After successful exploitation of CVE-2025-53690 or the use of valid credentials, UAT-8837 initiates a standardized reconnaissance phase. This phase is designed to assess the compromised host’s role, the privileges of the current user, and the network connectivity available for egress.
Initial commands observed during these intrusions include:
ping google[.]com(Connectivity check)tasklist /svc(Process and service enumeration)netstat -aon -p TCP(Network connection mapping)whoamiandquser(User identity and session identification)hostname(Machine identification)net user(Local user enumeration)
A notable tactical maneuver by UAT-8837 involves modifying the Windows Registry to facilitate lateral movement via Remote Desktop Protocol (RDP). The actor disables RestrictedAdmin mode to ensure they can obtain and use credentials for remoting into other devices within the network. The command used is:
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
Staging of tools and exfiltrated data typically occurs in common directories where user activity might blend in, such as:
C:\Users\<user>\Desktop\C:\windows\temp\C:\windows\public\music
UAT-8837 tool usage
UAT-8837 exhibits high adaptability in its tool selection. When primary tools are identified and quarantined by endpoint detection systems, the operator quickly cycles through different variants or alternative utilities. This “trial-and-error” approach to bypassing security controls suggests a hands-on-keyboard presence during the intrusion. Organizations utilizing a cyber threat intelligence platform can better track these tool variations to improve detection rates.
GoTokenTheft
The actor deploys GoTokenTheft, a utility written in GoLang, to extract access tokens from system memory. This tool is often staged at C:\Users\<user>\Desktop\go.exe. By stealing these tokens, UAT-8837 can execute commands with elevated privileges, often masquerading as legitimate administrative processes.
Earthworm
Earthworm is a network tunneling tool used extensively by Chinese-speaking threat actors. UAT-8837 uses Earthworm to create reverse tunnels, exposing internal endpoints to attacker-controlled infrastructure. These tunnels facilitate a persistent live ransomware API or data exfiltration channel, allowing for continuous interaction with the internal network.
DWAgent
DWAgent is a legitimate remote administration tool that UAT-8837 repurposes for malicious use. By installing the DWAgent runtime, the actor gains a stable, web-based interface for managing the compromised machine. The installer is typically run from temporary directories:
C:\Users\<user>\AppData\Local\Temp\dwagent20250909101732\runtime\dwagent.exe -S -m installer
SharpHound
To map the internal network and identify high-value targets, UAT-8837 utilizes SharpHound. This tool is the ingestor for BloodHound, which analyzes Active Directory relationships to identify attack paths.
GoExec
In instances where other execution tools are restricted, UAT-8837 has deployed GoExec. This GoLang-based tool allows for remote command execution on other endpoints within the victim’s network using WMI or DCOM:
goe.ico wmi proc 10[.]xx[.]xx[.]xx -u <user> --nt-hash <hash> -e cmd.exe -a /C hostname -o 1.txt
Hands-on-keyboard activity
The manual nature of UAT-8837 intrusions is evidenced by the specific commands used to extract sensitive system information. The actor frequently searches for passwords stored in configuration files and exports local security policies.
The command findstr /S /l cpassword [\\]\policies\*.xml is used to search for “cpassword” strings in Group Policy Preference files. Additionally, the actor uses secedit to export the system’s security configuration:
secedit /export /cfg C:\windows\temp\pol.txt
In some instances, UAT-8837 has exfiltrated DLL-based shared libraries related to the victim’s proprietary products. This activity suggests a supply-chain risk monitoring concern, as these libraries could be analyzed for further vulnerabilities or trojanized.
Active Directory reconnaissance
For deeper AD analysis, UAT-8837 utilizes native Windows tools like dsquery and dsget. These commands allow the operator to filter for specific properties, such as email addresses and SAM account IDs:
dsquery.exe user -name <name>dsget user -samid -display -email -upndsquery * DC=prod,DC=<domain>,DC=com -filter (objectClass=user) -attr * -limit 0
Indicators of compromise (IOCs)
Monitoring for the following indicators can assist in breach detection related to UAT-8837 activity.
File Hashes (SHA256):
- GoTokenTheft: 1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa
- Earthworm: 451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd
- SharpHound: 5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796
- GoExec: 887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744
Network Indicators (IP Addresses):
- 74[.]176[.]166[.]174
- 20[.]200[.]129[.]75
- 172[.]188[.]162[.]183
- 103[.]235[.]46[.]102
Practical Takeaways for Organizations
Defending against a sophisticated actor like UAT-8837 requires a multi-layered security strategy that addresses both technical vulnerabilities and administrative procedures.
- Prioritize Patching: Immediately address CVE-2025-53690 in all SiteCore environments.
- Audit Active Directory Activity: Monitor for unusual
dsqueryandsetspnactivity. Use to identify and remediate AD CS misconfigurations. - Implement Real-time Intelligence: Incorporate real-time ransomware intelligence to stay informed of shifting TTPs.
- External Exposure Monitoring: Utilize a dark web monitoring service and telegram threat monitoring.
- Brand Protection: Set up brand leak alerting to detect if sensitive internal data has been leaked to underground forum intelligence channels.
PurpleOps Expertise in Combatting Advanced Threats
PurpleOps provides the comprehensive security services required to defend against state-sponsored actors like UAT-8837. Our approach combines proactive defense with advanced monitoring.
- Red Team Operations: We simulate the TTPs of actors like UAT-8837 to identify weaknesses before they are exploited. Learn more at PurpleOps Red Team Operations.
- Supply Chain Security: Our team helps organizations secure internal development processes. Details are available at PurpleOps Supply Chain Information Security.
- Managed Detection and Response: We provide continuous monitoring to detect subtle “hands-on-keyboard” activity. Explore our services at PurpleOps Solutions.
Contact PurpleOps for Advanced Threat Defense: PurpleOps Platform
Frequently Asked Questions
What is the primary target of UAT-8837?
UAT-8837 primarily targets critical infrastructure sectors within North America, focusing on edge-facing servers for initial access.
How does UAT-8837 exploit SiteCore products?
The group leverages CVE-2025-53690, a critical zero-day ViewState Deserialization vulnerability, to gain initial entry into protected environments.
What tools does this actor use for lateral movement?
UAT-8837 uses a combination of open-source and native tools, including Earthworm for tunneling, GoExec for remote execution, and SharpHound for Active Directory mapping.
How can I detect UAT-8837 in my network?
Look for specific IOCs such as registry modifications to DisableRestrictedAdmin, unauthorized use of DWAgent, and specific PowerShell scripts like Invoke-WMIExec.ps1 in temporary directories.