The threat actor UAT-8837, assessed with medium confidence to be China-aligned, has been actively exploiting a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) to gain initial access to high-value targets, primarily in North American critical infrastructure sectors. The exploitation involves leveraging the zero-day or compromised credentials to infiltrate vulnerable servers. Once inside, the actor disables RestrictedAdmin mode for Remote Desktop Protocol (RDP), which normally protects credentials from exposure during remote sessions, thereby increasing the risk of credential theft. The actor then executes hands-on-keyboard activities using cmd.exe and deploys multiple open-source post-exploitation tools such as GoTokenTheft for stealing access tokens, EarthWorm for creating reverse tunnels, DWAgent for persistent remote access, SharpHound and Certipy for Active Directory reconnaissance and abuse, Impacket for privilege escalation, GoExec for lateral command execution, and Rubeus for Kerberos ticket manipulation. These tools enable extensive credential harvesting, network mapping, and lateral movement within victim environments. Notably, the actor exfiltrated DLL-based shared libraries from a victim, indicating potential future supply chain attacks or reverse engineering efforts to identify further vulnerabilities. The campaign shares TTPs and infrastructure with other China-nexus operations, suggesting access to multiple zero-day exploits. The threat actor’s focus on critical infrastructure and use of sophisticated tooling underscores a high level of operational capability and intent for espionage or disruption. This activity coincides with warnings from Western governments about increased targeting of operational technology (OT) and critical national infrastructure by state-sponsored actors, emphasizing the need for enhanced security measures in these sectors.

For European organizations, especially those operating critical infrastructure or using Sitecore CMS platforms, this threat poses a severe risk. Successful exploitation can lead to unauthorized access to sensitive systems, credential theft, lateral movement, and persistent presence within networks. The exfiltration of proprietary DLL libraries raises the risk of supply chain compromises, potentially affecting software integrity and trust. Disabling security features like RestrictedAdmin for RDP increases exposure to credential theft and further exploitation. The use of advanced post-exploitation tools facilitates deep reconnaissance and control over Active Directory environments, threatening confidentiality, integrity, and availability of critical services. Disruptions or espionage in critical infrastructure sectors such as energy, transportation, and telecommunications could have cascading effects on national security and economic stability. European organizations may also face regulatory and reputational damage if breaches occur. The threat actor’s capability to exploit zero-days and maintain persistence complicates detection and remediation efforts, increasing the potential impact.

European organizations should prioritize patching Sitecore CMS instances immediately once updates addressing CVE-2025-53690 become available. Until patches are applied, implement strict network segmentation to isolate critical infrastructure and Sitecore servers from general IT networks and the internet. Enforce multi-factor authentication (MFA) for all remote access, especially RDP, and disable or tightly control RDP access, ensuring RestrictedAdmin mode remains enabled. Monitor network traffic for unusual reverse tunnels or connections to suspicious external servers, particularly those resembling EarthWorm or DWAgent activity. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying the use of tools like SharpHound, Rubeus, and Impacket. Conduct regular Active Directory audits and monitor for abnormal Kerberos ticket requests or privilege escalations. Implement strict credential hygiene, including frequent password changes and use of privileged access workstations. Establish robust logging and alerting for command-line activities and DLL file access or exfiltration attempts. Prepare incident response plans specific to supply chain compromise scenarios. Collaborate with national cybersecurity agencies for threat intelligence sharing and guidance tailored to critical infrastructure protection.