China-nexus threat actors intensify targeting of internet‑facing systems in North America

Threat summary

Recent reporting from Cisco Talos researchers demonstrates that China-nexus threat actors are continuing to target North American critical infrastructure and widely deployed Cisco email security appliances.

On January 15, researchers detailed the activity of UAT-8837, a China-based threat group that gains initial access to victim environments by exploiting server-side vulnerabilities and compromised credentials.

Once inside a network, UAT‑8837 deploys open‑source tooling to harvest credentials, security configurations, and domain and Active Directory information. Their objective is to establish multiple access paths and maintain persistence. Its consistent targeting of critical infrastructure suggests a strategic intelligence‑gathering mission rather than opportunistic crime.

The group leverages a dual‑access model, exploiting both internet‑facing systems and previously stolen credentials to bypass perimeter defenses. This enables UAT-8837 to circumvent traditional detection mechanisms that rely on identifying a single intrusion vector. Post‑compromise activity emphasizes stealth, lateral movement, and the extraction of sensitive authentication data.

Notably, UAT-8837 exploited a Sitecore ViewState deserialization zero day tracked as CVE-2025-53690, reinforcing the group’s access to undisclosed vulnerabilities and its focus on exploiting internet-facing infrastructure.

Also on January 15, Cisco released patches for a separate vulnerability, CVE‑2025‑20393, after confirming it had been exploited in the wild by UAT‑9686, also a China‑nexus threat actor. The flaw impacts the Spam Quarantine feature in AsyncOS, used by Secure Email Gateway and Secure Email and Web Manager appliances. Cisco reported that only a small number of appliances were targeted, but exploitation was confirmed in December 2025.

In this case, the threat actor deployed the AquaShell backdoor on compromised appliances and used tunneling tools to maintain access. The exploitation enabled full control of the underlying operating system, giving threat actors the ability to modify configurations, deploy persistence mechanisms, and access sensitive email‑related data.

Analysis & recommendations

Together, these campaigns highlight a growing emphasis by Chinese state-aligned actors on initial access operations that can be leveraged for espionage, data theft, or future disruption. Both UAT-8837 and UAT-9686 combine zero-day exploitation, credential compromise, and the abuse of legitimate administrative tools to bypass protections.

Their focus on externally exposed systems and infrastructure appliances creates significant risk for managed service providers, where remote access pathways and privileged credentials can offer attackers scalable entry into multiple client environments. The operational impact extends beyond individual victims, as compromise of MSP-managed systems can cascade across interconnected networks.

By exploiting unpatched appliances and using stolen credentials, these actors circumvent traditional detection mechanisms and maintain long-term access. This trend underscores the importance of securing remote management infrastructure, monitoring for credential misuse, and reducing exposure of administrative interfaces.

Mitigation efforts focus on reducing the attack surface and strengthening identity controls.

• Applying available patches for Cisco Secure Email Gateway and Secure Email and Web Manager appliances is a priority, along with removing unnecessary internet exposure of administrative features such as Spam Quarantine.
• Enforcing phishing-resistant multifactor authentication across privileged accounts limits the value of compromised credentials.
• Continuous monitoring for unusual administrative activity, tunneling behavior, and credential harvesting tools aids early detection.
• Reviewing externally exposed systems, segmenting access pathways, and tightening lateral movement controls further reduce the risk of widespread compromise.

Field Effect MDR users were alerted via ARO if internet‑facing services such as Spam Quarantine were identified, with recommended actions provided. Field Effect MDR continuously monitors endpoints, networks, and cloud services, enabling proactive identification of anomalous connections, persistence mechanisms like AquaShell, and unauthorized system‑level activity.

The Field Effect security intelligence team integrates business context with curated intelligence feeds to deliver vulnerability analysis tailored to each client environment. Indicators of compromise associated with this campaign are applied early to enhance behavioral detection and strengthen response capabilities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up