"Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed."
""After obtaining initial access - either by successful exploitation of vulnerable servers or by using compromised credentials - UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims," it added. UAT-8837 is said to have most recently exploited a critical zero-day vulnerability in Sitecore ( CVE-2025-53690, CVSS score: 9.0) to obtain initial access,"
"Once the adversary obtains a foothold in target networks, it conducts preliminary reconnaissance, followed by disabling RestrictedAdmin for Remote Desktop Protocol (RDP), a security feature that ensures credentials and other user resources aren't exposed to compromised remote hosts. UAT-8837 is also said to open "cmd.exe" to conduct hands-on keyboard activity on the infected host and download several artifacts to enable post-exploitation."
Cisco Talos tracks the activity as UAT-8837 and assesses it as a China-nexus APT with medium confidence based on tactical overlaps with other regional campaigns. The actor has targeted critical infrastructure sectors in North America since at least last year and focuses on obtaining initial access to high-value organizations. Initial access methods include exploitation of vulnerable servers and use of compromised credentials, with recent exploitation of a Sitecore zero-day (CVE-2025-53690, CVSS 9.0). After establishing a foothold, the actor performs reconnaissance, disables RestrictedAdmin for RDP, executes cmd.exe for hands-on activity, and deploys open-source tools and artifacts to harvest credentials, security configurations, and Active Directory information to create multiple access channels.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]