UAT-8837 Targets Critical Infrastructure Sectors in North America

    Monday, January 19, 2026 In: Threat Research Print

    Date: 01/19/2026

    Severity: High

    Summary

    UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025. After breaching networks via exploited servers or stolen credentials, the group conducts hands-on-keyboard operations using open-source tools such as Earthworm, SharpHound, DWAgent, and Certipy to harvest credentials, security configurations, and Active Directory data. The actor’s tooling and infrastructure were also linked to exploitation of CVE-2025-53690, suggesting potential access to zero-day capabilities.

    Indicators of Compromise (IOC) List  

    IP Address

    74.176.166.174

    20.200.129.75

    172.188.162.183

    4.144.1.47

    103.235.46.102

    Hash

    1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa

    451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd

    B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b

    Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6

    4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883

    891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795

    5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796

    6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0

    887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744

    4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c

    1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183

    51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487

    2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59

    E27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d

    B7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb

    42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3

    6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d

    4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295

    BDF7B28DF19B6B634C05882D9F1DB73F63252F855120ED3E4DA4E26F2C6190E8

    1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700

    d0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c

    194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794

    74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3

    Ced14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31

    8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a

    5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd

    8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c

    De9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7

    4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("103.235.46.102","74.176.166.174","20.200.129.75","172.188.162.183","4.144.1.47") or srcipaddress IN ("103.235.46.102","74.176.166.174","20.200.129.75","172.188.162.183","4.144.1.47")

    Detection Query 2 :

    sha256hash IN ("1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183","6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0","E27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d","B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b","1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa","451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd","Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6","4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883","891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795","5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796","887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744","4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c","51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487","51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487","2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59","B7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb","42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3","6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d","4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295","BDF7B28DF19B6B634C05882D9F1DB73F63252F855120ED3E4DA4E26F2C6190E8","1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700","d0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c","194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794","74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3","Ced14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31","8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a","5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd","8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c","De9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7","4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98")

    Reference: 

    https://blog.talosintelligence.com/uat-8837/


    Tags

    Threat ActorVulnerabilityChina-NexusCritical InfrastructureNorth Americacredential stealersExploitCredential HarvestingCVE-2025Zero-day

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.