Ddos 
UAT-8302's interconnections | Image: Cisco Talos
Cisco Talos has exposured the curtain on UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group that has been systematically infiltrating government entities across South America and southeastern Europe since late 2024. This group is not merely a lone actor but sits at the center of a dense web of Chinese-speaking threat clusters, sharing tools and tactics with some of the most notorious APT groups in the world.
Talos assesses with high confidence that UAT-8302 is primarily “tasked with obtaining and maintaining long-term access to government and related entities around the world”.
UAT-8302 does not just build its own weapons; it leverages a “malware-as-a-service” style ecosystem, utilizing custom-made malware families previously seen in attacks by other China-aligned actors. This overlap suggests a close operating relationship or a shared development resource among these groups.
Key malware deployed includes:
- NetDraft (aka Nosy Door): A .NET-based backdoor that uses the Microsoft Graph API and OneDrive for its command-and-control (C2) infrastructure. It is a variant of the FinalDraft/Squid Door family operated exclusively by actors like Jewelbug and LongNosedGoblin.
- CloudSorcerer (v3): A sophisticated backdoor that disguises its C2 information within legitimate services like GitHub or GameSpot. Depending on the process it infects, it can gather system info, manage files, or execute arbitrary shellcode.
- VSHELL & SNOWRUST: UAT-8302 utilizes the VSHELL backdoor, often delivered via SNOWLIGHT, a lightweight downloader. Talos also discovered SNOWRUST, a new variant written in Rust, signaling an evolution toward more modern, memory-safe languages to evade detection.
After gaining initial access—likely through zero-day or n-day vulnerabilities—UAT-8302 conducts relentless reconnaissance using scripts like “whatpc.ps1” to map every endpoint on the network.
The group’s post-compromise activity includes:
- Credential Extraction: Using tools like adconnectdump.py to pull secrets from Azure AD Connect and MobaXterm Decryptor to pivot through SSH clients.
- Network Proliferation: Movement across the network is achieved through Impacket or WMI-based remote process creation, often using scheduled tasks for persistence.
- Covert Tunneling: To maintain access, they deploy proxy tools such as Stowaway and SoftEther VPN, often utilizing tools written in Simplified Chinese.
“Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least,” the report states.
The “dots” connected by Talos reveal that UAT-8302 frequently swaps tools with other groups such as Earth Estries, Earth Naga, and UNC5174. For instance, they have been seen deploying Zing Door and DeedRAT in tandem, a specific signature previously attributed to Earth Estries.
Furthermore, the group has integrated components from open-source Chinese security projects, such as the Hades HIDS/HIPS kernel framework, to monitor and potentially hide their own activities on compromised host systems.
While UAT-8302’s primary targets are government ministries, their reach extends to critical infrastructure and defense-adjacent contractors. By utilizing “generic shellcode loaders” like Draculoader, they can effectively hide their intent while maintaining a presence in some of the most sensitive networks in the world.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
