China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion - The Hacker News

China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion Ravie LakshmananJan 16, 2026Zero-Day / Cyber Espionage A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims," it added. UAT-8837 is said to have most recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access, with the intrusion sharing TTP, tooling, and infrastructure similarities with a campaign detailed by Google-owned Mandiant in September 2025. SiteCore released fixes for the flaw early that month. While it's not clear if these two clusters are the work of the same actor, it suggests that UAT-8837 may have access to zero-day exploits to conduct cyber attacks.  Once the adversary obtains a foothold in target networks, it conducts preliminary reconnaissance, followed by disabling RestrictedAdmin for Remote Desktop Protocol (RDP), a security feature that ensures credentials and other user resources aren't exposed to compromised remote hosts.  UAT-8837 is also said to open "cmd.exe" to conduct hands-on keyboard activity on the infected host and download several artifacts to enable post-exploitation. Some of the notable tools include - GoTokenTheft, to steal access tokens EarthWorm, to create a reverse tunnel to attacker-controlled servers using SOCKS DWAgent, to enable persistent remote access and Active Directory reconnaissance SharpHound, to collect Active Directory information Impacket, to run commands with elevated privileges GoExec, a Golang-based tool to execute commands on other connected remote endpoints within the victim's network Rubeus, a C# based toolset for Kerberos interaction and abuse Certipy, a tool for Active Directory discovery and abuse "UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations," researchers Asheer Malhotra, Vitor Ventura, and Brandon White said. "In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products." The disclosure comes a week after Talos attributed another China-nexus threat actor known as UAT-7290 to espionage-focused intrusions against entities in South Asia and Southeastern Europe using malware families such as RushDrop, DriveSwitch, and SilentRaid. In recent years, concerns about Chinese threat actors targeting critical infrastructure have prompted Western governments to issue several alerts. Earlier this week, cybersecurity and intelligence agencies from Australia, Germany, the Netherlands, New Zealand, the U.K., and the U.S. warned about the growing threats to operational technology (OT) environments.  The guidance offers a framework to design, secure, and manage connectivity in OT systems, urging organizations to limit exposure, centralize and standardize network connections, use secure protocols, harden OT boundary, ensure all connectivity is monitored and logged, and avoid using obsolete assets that could heighten the risk of security incidents. "Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors," the agencies said. "This activity includes state-sponsored actors actively targeting critical national infrastructure (CNI) networks. The threat is not just limited to state-sponsored actors with recent incidents showing how exposed OT infrastructure is opportunistically targeted by hacktivists." (The story was updated after publication to emphasize that the vulnerability is not new and that it was patched by SiteCore in September 2025.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Active Directory, Advanced Persistent Threat, critical infrastructure, cyber espionage, cybersecurity, Operational Technology, Remote Desktop Protocol, Supply Chain Security, zero-day Trending News 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps