A China-linked cyber espionage group has been observed exploiting a previously unknown vulnerability in Sitecore software to infiltrate critical infrastructure organizations across North America, according to new findings from Cisco Talos.
The activity, tracked as UAT-8837, has been underway since at least 2025 and is believed to be connected to broader China-nexus cyber operations. Cisco Talos assessed the attribution with medium confidence, citing overlaps in tactics and operational patterns with other known Chinese threat campaigns.
Focus on Initial Access to High-Value Targets
Researchers say UAT-8837 appears primarily focused on gaining initial access to strategically important organizations. The group has been observed exploiting exposed servers and leveraging stolen credentials to establish entry points into victim environments.
Once inside a network, the attackers rely heavily on widely available open-source tools to collect sensitive data. This includes credentials, security configurations, and detailed information about Windows domains and Active Directory environments. These efforts are designed to create multiple paths for persistent access and long-term control.
Exploitation of Sitecore Zero-Day
In its most recent activity, UAT-8837 exploited a critical Sitecore vulnerability tracked as CVE-2025-53690, which carries a CVSS score of 9.0. The flaw was used to gain initial access to targeted systems before patches were applied.
The intrusion activity showed notable similarities to a separate campaign disclosed by Google-owned Mandiant in September 2025, including shared tooling, infrastructure, and post-exploitation behavior. While it remains unclear whether both campaigns are operated by the same group, the overlap suggests that UAT-8837 may have access to advanced or zero-day exploits.
Sitecore released security updates for the vulnerability in September 2025, and organizations that applied the patches are no longer exposed to this specific issue.
Post-Compromise Activity and Tooling
After establishing a foothold, the attackers conducted internal reconnaissance and deliberately weakened security controls. One notable action involved disabling RestrictedAdmin mode for Remote Desktop Protocol (RDP), increasing the risk of credential exposure during remote access sessions.
The group also engaged in hands-on keyboard activity using command-line tools and deployed a range of post-exploitation utilities, including:
- GoTokenTheft for stealing authentication tokens
- EarthWorm to establish reverse tunnels via SOCKS proxies
- DWAgent for persistent remote access and Active Directory reconnaissance
- SharpHound to map Active Directory relationships
- Impacket to execute commands with elevated privileges
- GoExec for lateral movement across networked systems
- Rubeus to abuse Kerberos authentication mechanisms
- Certipy for Active Directory certificate services exploitation
Cisco Talos researchers noted that the attackers executed numerous commands aimed at harvesting sensitive credentials and internal data.
In at least one case, UAT-8837 exfiltrated dynamic link libraries (DLLs) associated with the victim’s proprietary products. This behavior raises concerns about potential supply chain attacks, future trojanization, or reverse engineering to uncover additional vulnerabilities.
Broader Context of Chinese Cyber Activity
The disclosure follows another recent Talos report linking a separate China-aligned group, UAT-7290, to espionage operations in South Asia and Southeastern Europe using malware families such as RushDrop, DriveSwitch, and SilentRaid.
Growing concerns over Chinese cyber operations targeting critical infrastructure have prompted coordinated warnings from Western governments. Earlier this week, cybersecurity and intelligence agencies from Australia, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States issued joint guidance addressing threats to operational technology (OT) environments.
The advisory emphasizes reducing exposure, standardizing network connectivity, using secure communication protocols, hardening OT boundaries, continuously monitoring access, and retiring obsolete systems that increase attack risk.
Security officials warned that exposed OT environments are being actively targeted not only by state-sponsored actors, but also by hacktivists and opportunistic attackers exploiting weak or outdated defenses.
