VYPR
researchPublished May 5, 2026· Updated May 17, 2026· 1 source

China-Linked UAT-8302 APT Targets Global Governments with Shared Malware Arsenal

A China-linked threat actor known as UAT-8302 is targeting government agencies in South America and Europe using a shared arsenal of malware previously tied to multiple other APT groups.

A China-linked advanced persistent threat (APT) group, tracked by Cisco Talos as UAT-8302, has been identified targeting government entities across South America and southeastern Europe. The campaign, which has been active since at least late 2024, is characterized by the use of a shared arsenal of sophisticated malware previously associated with other China-aligned threat actors.

The technical operations of UAT-8302 involve a post-exploitation phase that relies on a suite of custom-made backdoors and loaders. Central to their toolkit is NetDraft (also known as NosyDoor), a .NET-based backdoor that researchers have linked to various threat clusters, including Ink Dragon, Earth Alux, and Jewelbug The Hacker News. The group also utilizes CloudSorcerer, specifically version 3.0, and a VShell stager known as SNOWLIGHT. In some instances, the attackers employ a Rust-based variant of this stager, dubbed SNOWRUST, to download and execute VShell payloads from remote servers The Hacker News.

Beyond custom malware, UAT-8302 maintains persistence through the deployment of proxy and VPN tools such as Stowaway and SoftEther VPN. While the group’s initial access methods remain unconfirmed, Cisco Talos researchers suspect the use of zero-day and N-day vulnerabilities in web applications. Once inside a network, the attackers perform extensive reconnaissance and lateral movement, often utilizing open-source tools like gogo for automated scanning The Hacker News.

The shared nature of this malware suggests a high degree of collaboration among China-nexus threat actors. For example, the NetDraft backdoor has been observed in campaigns attributed to ESET’s "LongNosedGoblin" and the "Erudite Mogwai" group, which deployed it as "LuckyStrike Agent" against Russian IT organizations The Hacker News. Similarly, tools like SNOWLIGHT and Deed RAT have been linked to other groups such as UNC5174 and Earth Estries.

This activity reflects a broader trend of "Premier Pass-as-a-Service," a model where specialized groups obtain initial access and pass it to other actors for follow-on exploitation. This collaborative framework, which Trend Micro previously identified as existing since late 2023, allows threat actors to bypass traditional reconnaissance and lateral movement phases, significantly increasing the efficiency of their operations The Hacker News.

The overlapping use of these tools underscores the interconnected nature of modern state-sponsored cyber espionage. By sharing infrastructure and custom malware, these groups can obfuscate their operations and maintain a persistent presence within high-value government networks across multiple regions. Security teams should monitor for the deployment of these specific backdoors and the unauthorized use of VPN tools as indicators of compromise The Hacker News.

Synthesized by Vypr AI
China-Linked UAT-8302 APT Targets Global Governments with Shared Malware Arsenal · VYPR