China-Linked UAT-8302 Targets Global Governments with Shared APT Malware
A sophisticated China-affiliated advanced persistent threat (APT) group, identified as UAT-8302 by Cisco Talos, has been implicated in cyberattacks targeting government entities in South America since late 2024 and agencies in southeastern Europe throughout 2025. This group’s operations involve deploying custom malware families previously utilized by other China-aligned hacking collectives, indicating a high level of coordination and resource sharing among these actors.
Key Malware Utilized by UAT-8302:
– NetDraft (NosyDoor): A .NET-based backdoor, NetDraft is a C# variant of FINALDRAFT (also known as Squidoor). This malware has been associated with threat clusters such as Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707. ESET tracks its usage under the moniker LongNosedGoblin. Notably, similar malware has been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (also known as Space Pirates and Webworm), where it is identified as LuckyStrike Agent.
– CloudSorcerer: This backdoor has been observed in attacks targeting Russian entities since May 2024.
– SNOWLIGHT: A VShell stager employed by groups such as UNC5174, UNC6586, and UAT-6382.
– Deed RAT (Snappybee) and Zingdoor: Successors of ShadowPad, these tools have been deployed by Earth Estries in late 2024.
– Draculoader: A generic shellcode loader used to deliver payloads like Crowdoor and HemiGate.
The deployment of these malware families by UAT-8302 suggests a close operational relationship with other previously identified threat clusters. This interconnectedness underscores the group’s access to tools utilized by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various industry reports.
Attack Methodology:
While the exact methods UAT-8302 employs to gain initial access to target networks remain unclear, it is suspected that the group exploits zero-day and N-day vulnerabilities in web applications. Once inside a network, the attackers conduct extensive reconnaissance to map out the environment, utilizing open-source tools like gogo for automated scanning and facilitating lateral movement. The attack chains typically culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
Additionally, UAT-8302 has been observed using a Rust-based variant of SNOWLIGHT, dubbed SNOWRUST, to download and execute the VShell payload from a remote server. To establish alternative backdoor access, the group employs proxy and VPN tools such as Stowaway and SoftEther VPN.
Implications and Collaborative Tactics:
The activities of UAT-8302 highlight a trend of advanced collaboration among multiple China-aligned groups. In October 2025, Trend Micro detailed a phenomenon termed Premier Pass-as-a-Service, where initial access obtained by Earth Estries is transferred to Earth Naga for further exploitation, complicating attribution efforts. This partnership is believed to have been in place since at least late 2023.
Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation, and lateral movement phases, Trend Micro noted. Although the full extent of this model is not yet known, the limited number of observed incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors.
Conclusion:
The operations of UAT-8302 exemplify the evolving landscape of cyber threats, where state-affiliated groups share resources and collaborate to enhance their capabilities. The use of shared malware tools and coordinated tactics among China-linked APT groups underscores the need for vigilant cybersecurity measures and international cooperation to mitigate these sophisticated threats.
