VERY IMPORTANT

UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesting, and lateral movement. Their toolkit includes GoTokenTheft, Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy. UAT-8837 conducts extensive domain and Active Directory reconnaissance, creates backdoor accounts, and exfiltrates sensitive data. The actor's focus on obtaining initial access to high-value organizations and their use of sophisticated tools and techniques indicate a significant threat to critical infrastructure sectors.