top of page
Search

North Korea-Linked APT Exploits Sitecore Zero-Day in Attacks on Asian Critical Infrastructure

  • Jan 16
  • 2 min read

Key Findings


  • A China-linked APT group, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least 2025.

  • The threat actor has recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) to gain initial access to target networks.

  • After obtaining a foothold, UAT-8837 deploys a range of open-source tools to harvest sensitive information, including credentials, security configurations, and Active Directory data.

  • The group's activities share TTP, tooling, and infrastructure similarities with a previous campaign detailed by Mandiant, suggesting potential access to zero-day exploits.

  • UAT-8837 is primarily focused on obtaining initial access to high-value organizations, with post-compromise activity aimed at creating multiple channels of access.


Background


Cisco Talos is tracking the activities of UAT-8837, an advanced persistent threat (APT) actor that is likely aligned with China. The cybersecurity company has assessed the group's activities with "medium confidence" based on overlaps in tactics, techniques, and procedures (TTPs) with other campaigns mounted by threat actors from the region.


Exploitation of Sitecore Zero-Day


UAT-8837 has most recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) to obtain initial access to target networks. This intrusion shares similarities with a campaign detailed by Mandiant in September 2025, suggesting that UAT-8837 may have access to zero-day exploits to conduct cyber attacks.


Post-Compromise Activities


After gaining a foothold in target networks, UAT-8837 conducts preliminary reconnaissance and disables the RestrictedAdmin feature for Remote Desktop Protocol (RDP) to ensure that credentials and other user resources are exposed to the compromised remote hosts. The group then downloads a suite of open-source tools to enable further post-exploitation activities, including:


  • GoTokenTheft: to steal access tokens

  • EarthWorm: to create a reverse tunnel to attacker-controlled servers using SOCKS

  • DWAgent: to enable persistent remote access and Active Directory reconnaissance

  • SharpHound: to collect Active Directory information

  • Impacket: to run commands with elevated privileges

  • GoExec: a Golang-based tool to execute commands on other connected remote endpoints within the victim's network

  • Rubeus: a C# based toolset for Kerberos interaction and abuse

  • Certipy: a tool for Active Directory discovery and abuse


Data Exfiltration and Supply Chain Concerns


In at least one victim organization, UAT-8837 was able to exfiltrate DLL-based shared libraries related to the victim's products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products.


Sources


  • https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.html

  • https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html

  • https://securityonline.info/zero-day-threat-uat-8837-targets-north-american-infrastructure/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page