Targets critical infrastructure sectors in North America
Essential information
- Published
- 16/01/2026 13:31
- Modified
- 16/01/2026 13:43
- Tags
- 2026-01-16 CVE-2025-53690 active directory apt certipy china-nexus credential harvesting critical-infrastructure dwagent earthworm goexec gotokentheft impacket lateral movement rubeus sharphound zero-day
- Related entities
- 1 vulnerabilities (cve), 29 observables, 1 intrusion sets (apt), 12 techniques (mitre), 8 malware, 4 others
Description
UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesting, and lateral movement. Their toolkit includes GoTokenTheft, Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy. UAT-8837 conducts extensive domain and Active Directory reconnaissance, creates backdoor accounts, and exfiltrates sensitive data. The actor's focus on obtaining initial access to high-value organizations and their use of sophisticated tools and techniques indicate a significant threat to critical infrastructure sectors.