UAT-8837 is a sophisticated cyber threat actor that recently started attacking critical national infrastructure (CNI) networks. To gain initial access, they targeted a zero-day vulnerability in Sitecore, known CVE-2025-53690. This vulnerability (CVSS 9.0) provided an original entry for UAT-8837 to obtain initial access into systems. The actor has at least been alive going back to last year. Yet, their activities have raised warning bells at cybersecurity organizations within multiple Western countries.
UAT-8837’s use of intrusion tactics, techniques, and procedures (TTPs) mirror a campaign described by US-based company Mandiant in September 2025. Despite this stark similarity, many crucial questions about their operations remain. Such an overlap shows impressive sophistication in their operations. More importantly, it gestures toward the evidence of shared infrastructure between the state-sponsored actors responsible for these attacks.
Sitecore fixed the vulnerability with patches issued in the first week of September 2025. The nimbleness with which this flaw has been exploited has shown us that UAT-8837 and others like it are a constant menace.
Targeting Critical Infrastructure
UAT-8837 has turned its sight on North America’s critical infrastructure sectors, using cutting-edge methods to penetrate highly secure perimeters. Foreign policy experts say the group is working on behalf of Chinese interests. They have further been associated with state-sponsored hacks aimed at our most critical national infrastructure.
Recent intelligence reports indicate that UAT-8837’s activities have begun to attract the notice of more opportunistic actors. Hacktivists are now more than ever turning their attention to operational technology (OT) environments. This hybrid threat landscape highlights a concerning lack of vulnerability in OT systems.
“Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” – cybersecurity agencies.
Though UAT-8837’s intrusions were indeed alarming, they mainly posed a threat to the security of OT environments. In particular, the actor has been seen executing several commands during intrusions to gather sensitive data from victim organizations.
Techniques and Tools Used
After breaching perimeter defenses, UAT-8837 largely employs common open source tools to collect intelligence. Without these tools, it cannot efficiently harvest sensitive data such as your credentials and security group configurations. This provides them with several access points to infiltrate the victim’s systems.
“After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims,” – blog.talosintelligence.com.
The gang has been filmed downloading thousands of artifacts following an exploitation of the systems. These often unseen artifacts allow them to continue expanding access and improving their operational efficiency. In one significant example, UAT-8837 exfiltrated DLL-based shared libraries associated with a victim’s products.
“In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products.” – Asheer Malhotra, Vitor Ventura, and Brandon White.
Response from Global Agencies
Cybersecurity and intelligence agencies from Australia, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States are on high alert. They were forced to react to the growing threats associated with UAT-8837’s actions. Such alerts are meant to help inform best practices for protecting OT environments, as cyber threats continue to proliferate.
The suggestions focus on building defense-in-depth connectivity in OT systems, while pressing organizations to reduce attack surface and enforce uniformity of networked connections. Agencies encourage the use of secure protocols and monitoring of all connectivity to mitigate risks associated with outdated assets.