Targets critical infrastructure sectors in North America

Jan. 16, 2026, 1:43 p.m.

Description

UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesting, and lateral movement. Their toolkit includes GoTokenTheft, Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy. UAT-8837 conducts extensive domain and Active Directory reconnaissance, creates backdoor accounts, and exfiltrates sensitive data. The actor's focus on obtaining initial access to high-value organizations and their use of sophisticated tools and techniques indicate a significant threat to critical infrastructure sectors.

External References

https://otx.alienvault.com/pulse/696a3dc15e8d8c495dbd889b
https://blog.talosintelligence.com/uat-8837/
Tags
apt
zero-day
credential harvesting
lateral movement
earthworm
impacket
sharphound
rubeus
critical infrastructure
china-nexus
active directory
CVE-2025-53690
dwagent
2026-01-16
certipy
goexec
gotokentheft

Date

  • Created: Jan. 16, 2026, 1:31 p.m.
  • Published: Jan. 16, 2026, 1:31 p.m.
  • Modified: Jan. 16, 2026, 1:43 p.m.

Indicators

  • 891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795
  • b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b
  • 42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3
  • 4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c
  • b7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb
  • 74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3
  • 6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0
  • 5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd
  • 451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd
  • 6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d
  • 1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa
  • de9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7
  • 1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700
  • 194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794
  • 51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487
  • e27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d
  • 4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883
  • 1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183
  • 4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98
  • 8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a
  • 887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744
  • ced14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31
  • 5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796
  • fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6
  • 4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295
  • d0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c
  • bdf7b28df19b6b634c05882d9f1db73f63252f855120ed3e4da4e26f2c6190e8
  • 2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59
  • 8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c
Download all indicators here!

Attack Patterns

  • Earthworm
  • Impacket
  • GoTokenTheft
  • GoExec
  • Rubeus
  • DWAgent
  • SharpHound
  • Certipy
  • UAT-8837

Additional Informations

  • Energy
  • Manufacturing
  • Defense
  • Government

Linked vulnerabilities

CVE-2025-53690

None
Published: