UAT-8837 campaign targeting North American critical infrastructure for initial access
Campaign
Summary
Hide ▲
Show ▼
UAT-8837 is a China-nexus campaign targeting North American critical infrastructure for initial access, with activity reported since at least 2025. The actor gains entry through compromised credentials or server vulnerabilities, including CVE-2025-53690 in Sitecore products. After access, it uses Windows native commands and living-off-the-land tools to conduct reconnaissance, disable RDP RestrictedAdmin, harvest credentials, and enumerate Active Directory. In at least one case, the actor also exfiltrated a DLL that could enable later product trojanization or supply-chain abuse.
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
Snow malware suite deployment by UNC6692
Malware Activity
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityAbout this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Timeline
-
16.01.2026 09:18 4 articles · 4mo ago
UAT-8837 campaign targeting North American critical infrastructure
Initial DisclosureA likely China-nexus APT has targeted North American critical infrastructure since at least last year to gain initial access by exploiting vulnerable servers or using compromised credentials. The actor's most recent activity included exploitation of Sitecore CVE-2025-53690, disabling RestrictedAdmin for RDP, launching cmd.exe, and deploying tools such as GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy to steal credentials, establish tunneling and persistence, and enumerate Active Directory; in one victim organization it also exfiltrated DLL-based shared libraries tied to the victim's products.
Show sources
- China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure — thehackernews.com — 16.01.2026 09:18
- China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure — thehackernews.com — 16.01.2026 09:18
- China-linked hackers exploited Sitecore zero-day for initial access — www.bleepingcomputer.com — 16.01.2026 19:10
- Hackers exploited Sitecore zero-day flaw to deploy backdoors — www.bleepingcomputer.com — 04.09.2025 21:51