New China-Nexus APT 'UAT-8302' Targets Global Government Entities with Shared Malware Arsenal
Cisco Talos has uncovered a China-nexus threat actor, tracked as UAT-8302, that is leveraging a shared arsenal of sophisticated malware to infiltrate government networks across South America and Europe.
Cisco Talos has identified a sophisticated China-nexus advanced persistent threat (APT) group, designated UAT-8302, which has been systematically targeting government entities across South America and southeastern Europe since late 2024. The group is characterized by its use of a diverse, modular arsenal of custom-made malware, many of which have been previously linked to other prominent Chinese-speaking threat actors Cisco Talos.
The technical operations of UAT-8302 rely on a complex suite of backdoors and stagers designed for long-term persistence and data exfiltration. A primary tool in their kit is "NetDraft," a .NET-based backdoor that researchers identify as a variant of the FinalDraft/SquidDoor family. This malware has been observed in various global campaigns under different names, including "NosyDoor," which ESET previously linked to the LongNosedGoblin actor Cisco Talos. Additionally, the group utilizes version 3 of the "CloudSorcerer" backdoor, a tool previously documented in attacks against Russian government entities in 2024 Cisco Talos.
Beyond these backdoors, UAT-8302 employs a variety of specialized stagers and loaders to facilitate their intrusions. These include the "SNOWLIGHT" stager—often used in conjunction with the VSHELL malware—and a new Rust-based stager tracked as "SNOWRUST." The group also deploys "Draculoader," a generic shellcode loader previously associated with the Earth Estries and Earth Naga APT groups. Once inside a network, the threat actors conduct reconnaissance, credential extraction, and lateral movement using a combination of open-source tools like Impacket and custom-built malicious artifacts Cisco Talos.
The operational footprint of UAT-8302 suggests a high degree of collaboration or resource sharing among China-nexus threat clusters. The group’s reliance on tools like SNOWLIGHT, which has been utilized by other clusters such as UNC5174 and UNC6586, indicates that UAT-8302 is part of a broader, interconnected ecosystem of sophisticated actors. This overlap extends to the use of "SNAPPYBEE/DeedRAT" and "ZingDoor," which were deployed in tandem, a tactic previously highlighted by Trend Micro in 2024 Cisco Talos.
While specific initial access vectors for UAT-8302 remain under investigation, Talos assesses that the group follows the established paradigm of exploiting both zero-day and n-day vulnerabilities to gain a foothold. The group’s primary objective is the long-term maintenance of access to sensitive government environments. Organizations are advised to monitor for the presence of these specific malware families and the use of unauthorized proxying tools within their infrastructure Cisco Talos.
This activity highlights a growing trend of tool-sharing and modularity among state-sponsored actors, making attribution increasingly complex. By leveraging a shared library of sophisticated malware, these groups can maintain operational continuity even when individual tools are exposed. Security teams should prioritize robust endpoint detection and response (EDR) capabilities to identify the distinct behavioral patterns associated with these custom loaders and backdoors as they continue to evolve Cisco Talos.