China-linked hackers exploited Sitecore zero-day for initial access

An advanced threat actor tracked as UAT-8837 and believed to be linked to China has been focusing on critical infrastructure systems in North America, gaining access by exploiting both known and zero-day vulnerabilities.

The hacker group has been active since at least 2025, and its purpose appears to be mainly to obtain initial access to targeted organizations, Cisco Talos researchers say in a report today.

In a previous report, the same researchers noted that another China-linked actor tracked internally as UAT-7290 and active since at least 2022, is also tasked with obtaining access. However, they note that the attacker is involved in espionage activity, too.

UAT-8837 attacks typically start with leveraging compromised credentials or by exploiting server vulnerabilities.

In a recent incident, the threat actor exploited CVE-2025-53690, a ViewState Deserialization zero-day flaw in Sitecore products, which may indicate access to undisclosed security issues.

Mandiant researchers reported CVE-2025-53690 as an actively exploited zero-day in early September 2025, in an attack where they observed the deployment of a reconnaissance backdoor named ‘WeepSteel’.

Cisco Talos has medium confidence connecting UAT-8837 to Chinese operations, and the researcher’s assessment is “based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors.”

After breaching the network, UAT-8837 may use Windows native commands to perform host and network reconnaissance and disable RDP RestrictedAdmin to facilitate credential harvesting.

Cisco Talos analysts note that the attacker’s post-exploitation activity includes hands-on-keyboard operations to run various commands for collecting sensitive data, like credentials.

Regarding the tooling observed in these attacks, UAT-8837 predominantly uses open-source and living-off-the-land utilities, continually cycling variants to evade detection. Some tools highlighted in Cisco Talos’ report include:

• GoTokenTheft, Rubeus, Certipy – to steal access tokens, abuse Kerberos, and collect Active Directory–related credentials and certificate data
• SharpHound, Certipy, setspn, dsquery, dsget – enumerate Active Directory users, groups, SPNs, service accounts, and domain relationships
• Impacket, Invoke-WMIExec, GoExec, SharpWMI – Execute commands on remote systems via WMI and DCOM; the actor cycles through the tools when detection blocks execution
• Earthworm – creates reverse SOCKS tunnels, exposing internal systems to attacker-controlled infrastructure
• DWAgent – a remote administration tool for maintaining access and deploying additional payloads
• Windows commands and utilities – collect host, network, and security policy information, including passwords and settings

From the commands executed in the analyzed intrusion, the researchers concluded that the attackers target credentials, AD topology and trust relationships, and security policies and configurations.

On at least one occasion, the hackers exfiltrated a DLL from a product used by the victim, which could be used for future trojanization and supply-chain attacks.

Cisco Talos’ report provides examples of the commands and tools used in the attack, as well as a list of indicators of compromise for UAT-8837 activity.

The 2026 CISO Budget Benchmark

It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.

Learn how top leaders are turning investment into measurable impact.

Download Now