China-Linked Threat Actor Targets Critical Infrastructure Using Zero-Day Exploits

Long-term intrusion campaign focuses on gaining and maintaining access to high-value environments

Security researchers have identified a China-aligned threat actor conducting sustained cyber operations against critical infrastructure organizations in North America. The activity, tracked as UAT-8837, demonstrates characteristics consistent with advanced persistent threat (APT) operations focused on long-term access and intelligence collection.

Cisco Talos assesses the actor’s alignment with China with medium confidence, citing tactical and operational similarities to previously documented campaigns attributed to the region.

Initial Access and Attack Strategy

The threat actor primarily focuses on gaining initial access to high-value organizations. Once inside, it prioritizes persistence and reconnaissance over immediate disruption.

UAT-8837 achieves access through two main methods:

Exploiting vulnerable internet-facing servers
Abusing compromised or stolen credentials

Most recently, researchers observed the actor exploiting a critical zero-day vulnerability in Sitecore to breach targeted environments. The flaw enabled attackers to establish a foothold before deploying additional tooling.

Post-Compromise Activity

After gaining access, the actor relies heavily on open-source tools, a strategy that helps blend malicious activity with legitimate administrative behavior.

Post-compromise objectives include:

Harvesting credentials
Enumerating security configurations
Collecting Active Directory and domain information
Establishing multiple access paths for long-term persistence

This approach allows the attackers to remain embedded within victim environments while minimizing detection.

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

Cybercriminals Abuse ChatGPT Sharing Feature to Deliver Malware Through Fake Outage Alerts

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

China-Linked Threat Actor Targets Critical Infrastructure Using Zero-Day Exploits

Long-term intrusion campaign focuses on gaining and maintaining access to high-value environments

Initial Access and Attack Strategy

Post-Compromise Activity

Ashif

Share Your Story!

Long-term intrusion campaign focuses on gaining and maintaining access to high-value environments

Initial Access and Attack Strategy

Post-Compromise Activity

Ashif

Stay Updated with the Latest Cybersecurity News