Overview
- The actor targeted North American critical infrastructure and gained entry via compromised credentials and exploitation of Sitecore CVE-2025-53690.
- Investigators observed hands-on-keyboard activity using native Windows commands for reconnaissance and the disabling of RDP RestrictedAdmin to enable credential theft.
- UAT-8837 relied on open-source and living-off-the-land tools including GoTokenTheft, Rubeus, Certipy, SharpHound, Impacket, EarthWorm, DWAgent and GoExec.
- Talos published indicators of compromise, command examples and detection guidance, with Security Affairs noting the release of Snort SIDs.
- The campaign shows similarities to a Mandiant-documented cluster from September 2025, and one intrusion involved DLL exfiltration that could set up future trojanization or supply-chain risks.