China-Linked Hackers Exploit Sitecore Zero-Day to Breach Critical Infrastructure

An advanced threat actor tracked as UAT-8837, which Cisco Talos links to Chinese operations with medium confidence, has been targeting critical infrastructure systems across North America. The group's primary objective appears to be obtaining initial access to target networks, a role they share with another China-linked actor, UAT-7290, which has been active since at least 2022 and is also involved in espionage activities.

The Zero-Day Entry Point

In a recent incident, UAT-8837 exploited CVE-2025-53690, a critical ViewState Deserialization zero-day vulnerability in Sitecore products. This flaw was first reported as actively exploited by Mandiant researchers in early September 2025, during an attack that deployed a reconnaissance backdoor named 'WeepSteel'. The exploitation of this zero-day suggests the threat actor may have access to undisclosed security issues beyond what is publicly known.

Sitecore is a widely used enterprise content management and digital experience platform, particularly popular among large organizations in finance, healthcare, and government sectors. The ViewState Deserialization vulnerability allows attackers to execute arbitrary code on affected servers by manipulating serialized data, providing a direct path for initial compromise. Organizations running Sitecore instances should immediately review their exposure and apply any available patches or mitigation measures.

Post-Exploitation Tactics and Tooling

Once inside the network, UAT-8837 employs a methodical approach to reconnaissance and credential harvesting. The attackers use Windows native commands to perform host and network reconnaissance, and notably disable RDP RestrictedAdmin to facilitate credential theft. Their post-exploitation activities involve hands-on-keyboard operations, running various commands to collect sensitive data, particularly credentials and Active Directory information.

The group's tooling strategy is particularly sophisticated, relying predominantly on open-source utilities and living-off-the-land techniques to evade detection. By cycling through variants of the same tools, they maintain operational security while achieving their objectives. Key tools observed in their attacks include:

Credential and Token Theft Tools:

• GoTokenTheft - Steals access tokens from compromised systems
• Rubeus - Abuses Kerberos for ticket-based attacks
• Certipy - Collects Active Directory credentials and certificate data

Active Directory Enumeration Tools:

• SharpHound - Maps Active Directory relationships and permissions
• setspn, dsquery, dsget - Enumerates users, groups, service accounts, and domain structures

Remote Execution and Lateral Movement Tools:

• Impacket - Executes commands on remote systems via SMB and other protocols
• Invoke-WMIExec, GoExec, SharpWMI - Uses Windows Management Instrumentation and DCOM for remote command execution
• Earthworm - Creates reverse SOCKS tunnels to expose internal systems to attacker infrastructure
• DWAgent - A remote administration tool for maintaining persistent access

Living-off-the-Land Utilities:

• Native Windows commands for collecting host, network, and security policy information
• System utilities for harvesting passwords and configuration data

Strategic Targets and Objectives

From the commands executed during the intrusion, Cisco Talos analysts determined that UAT-8837 focuses on three primary objectives:

1. Credential Collection - Harvesting usernames, passwords, and authentication tokens
2. Active Directory Topology Mapping - Understanding organizational structure, trust relationships, and privilege escalation paths
3. Security Policy and Configuration Analysis - Identifying security controls, monitoring capabilities, and potential weaknesses

In at least one documented case, the attackers exfiltrated a DLL from a product used by the victim organization. This type of theft has significant implications for supply-chain attacks, as the stolen code could be analyzed for vulnerabilities or modified to create trojanized versions that would affect downstream customers and partners.

Attribution and Broader Context

Cisco Talos attributes UAT-8837 to Chinese operations based on overlaps in tactics, techniques, and procedures (TTPs) with other known China-nexus threat actors. This attribution aligns with broader trends observed in recent years, where Chinese state-sponsored groups have increasingly focused on critical infrastructure targets in North America and allied nations.

The group's operational timeline shows activity since at least 2025, suggesting a sustained campaign rather than opportunistic attacks. Their focus on initial access suggests they may be part of a larger ecosystem where different actors specialize in different phases of the attack lifecycle.

Practical Recommendations for Organizations

Immediate Actions:

1. Audit Sitecore Deployments - Identify all Sitecore instances and verify they are patched against CVE-2025-53690. If patches are unavailable, consider temporary mitigations such as network segmentation or disabling vulnerable features.
2. Review Authentication Logs - Look for suspicious RDP activity, particularly attempts to disable RestrictedAdmin mode, which is a known indicator of credential harvesting attempts.
3. Monitor for Living-off-the-Land Activity - Establish baselines for normal use of tools like PowerShell, WMI, and native Windows commands, then alert on anomalous usage patterns.

Long-Term Security Posture:

1. Implement Application Allowlisting - Restrict execution of unauthorized tools, particularly open-source security utilities that could be repurposed by attackers.
2. Enhance Active Directory Monitoring - Deploy solutions that detect enumeration activities, unusual permission changes, and lateral movement patterns.
3. Conduct Supply-Chain Risk Assessments - Review third-party software dependencies and establish processes for vetting and monitoring vendor code.
4. Adopt Zero-Trust Principles - Implement micro-segmentation, continuous verification, and least-privilege access controls to limit the impact of initial compromise.

Detection Strategies:

• Monitor for unusual network tunnels (particularly SOCKS proxies)
• Alert on the creation of new service accounts or SPN modifications
• Watch for credential dumping tools and techniques
• Track DLL downloads from internal systems, which may indicate code theft

Related Threat Landscape

This incident occurs against a backdrop of increasing Chinese cyber activity targeting critical infrastructure. Recent reports indicate:

• Chinese attacks on Taiwan's energy sector have increased tenfold
• Multiple zero-days in VMware ESXi were likely exploited a year before disclosure
• Unpatched AsyncOS zero-days have been actively exploited

The use of Sitecore as an entry point represents a shift toward targeting widely deployed enterprise software rather than more traditional attack vectors. Organizations must recognize that their digital experience platforms and content management systems are now viable targets for sophisticated threat actors.

Conclusion

UAT-8837's exploitation of CVE-2025-53690 demonstrates the evolving sophistication of state-sponsored cyber operations. By combining zero-day exploitation with living-off-the-land techniques and a focus on credential harvesting, the group maintains persistence while minimizing detection. Organizations running Sitecore or similar enterprise platforms must prioritize vulnerability management and implement comprehensive monitoring to detect these types of advanced persistent threats.

For organizations seeking additional technical details, Cisco Talos has published a comprehensive report with specific indicators of compromise and command examples. Security teams should review these resources to enhance their detection capabilities and validate their current security controls against this threat actor's known TTPs.

References:

• Cisco Talos Intelligence Group
• Mandiant Threat Intelligence
• Sitecore Security Updates
• CVE-2025-53690 Details