China-Linked UAT-8302 Expands Arsenal: Shared APT Malware Targeting Multiple Government Sectors
- May 5
- 3 min read
Key Findings
China-nexus APT group UAT-8302 has targeted government entities in South America since late 2024 and southeastern Europe in 2025
The group deploys shared malware families previously used by other China-aligned threat actors, indicating close operational relationships between multiple APT clusters
NetDraft (NosyDoor), a .NET-based backdoor, connects UAT-8302 to at least five other known threat clusters including Jewelbug, Earth Estries, and LongNosedGoblin
Post-compromise activity focuses on reconnaissance, credential extraction, and establishing persistent backdoor access through multiple channels
Initial access likely obtained through zero-day and n-day exploits in web applications, though specific vectors remain unconfirmed
Background
Cisco Talos has identified UAT-8302 as a sophisticated China-nexus advanced persistent threat group conducting targeted operations against government networks across multiple regions. The group's activity represents a broader trend of collaboration and tool-sharing among Chinese-aligned APT clusters, suggesting either direct coordination or a structured ecosystem where capabilities are distributed among trusted partners.
Interconnected Threat Landscape
The malware deployed by UAT-8302 reveals extensive connections to previously documented threat clusters. NetDraft serves as a primary linking factor, with this .NET-based backdoor appearing in operations attributed to LongNosedGoblin, Earth Estries, and Erudite Mogwai across different regions and targets. ESET tracks the same malware as NosyDoor, while Russian cybersecurity firm Solar identified it as LuckyStrike Agent when deployed against Russian IT organizations.
Beyond NetDraft, UAT-8302 leverages CloudSorcerer version 3.0, a backdoor previously used in 2024 attacks against Russian government entities. The group also deploys DeedRAT (Snappybee), Zingdoor, Draculoader, and SNOWLIGHT stagers alongside custom Rust-based variants called SNOWRUST. This arsenal represents a shared toolset spanning multiple China-nexus APT groups, particularly Earth Estries and Earth Naga.
Attack Methodology
UAT-8302 follows a deliberate operational sequence beginning with initial network access. While specific exploitation vectors remain unclear, the group's tool overlap with known zero-day exploiters suggests reliance on weaponized web application vulnerabilities.
Upon gaining entry, operators conduct systematic reconnaissance using both open-source tools and custom scripts. PowerShell scripts like "whatpc.ps1" automate information gathering across accessible endpoints, collecting system configuration, certificate stores, domain information, and network topology details. These reconnaissance activities are often persisted through scheduled tasks to maintain continuous visibility.
The group demonstrates sophistication in lateral movement, utilizing Impacket and similar red-teaming frameworks to propagate across compromised networks. Reconnaissance commands target domain structures, certificate stores, and network shares to identify high-value targets and movement paths.
Persistence and Post-Exploitation
Following successful reconnaissance and lateral movement, UAT-8302 establishes multiple backdoor access points to ensure persistent presence. Deployment of NetDraft, CloudSorcerer 3.0, and VShell represents the final stage of compromise, with SNOWRUST variants downloading VShell payloads from remote servers for execution.
Beyond malware-based access, operators establish alternative persistence mechanisms using proxy and VPN tools including Stowaway and SoftEther VPN. This redundancy ensures continued access even if one backdoor channel is discovered or disrupted.
Broader Collaborative Ecosystem
UAT-8302's activities underscore a growing trend among Chinese-aligned threat actors toward structured collaboration and service-oriented models. Trend Micro previously identified "Premier Pass-as-a-Service," where Earth Estries obtains initial network access and transfers it to Earth Naga for follow-on exploitation, reducing reconnaissance time and risk exposure. This partnership has operated since at least late 2023.
The limited number of observed incidents combined with substantial exposure risk suggests such access is restricted to a select circle of trusted threat actors. This model represents an evolution in APT operations, moving beyond independent campaigns toward a specialized division of labor that maximizes efficiency while minimizing individual group exposure.
Sources
https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html
https://blog.talosintelligence.com/uat-8302/

Comments