top of page

China-Linked UAT-8302 Expands Arsenal: Shared APT Malware Targeting Multiple Government Sectors

  • May 5
  • 3 min read

Key Findings


  • China-nexus APT group UAT-8302 has targeted government entities in South America since late 2024 and southeastern Europe in 2025

  • The group deploys shared malware families previously used by other China-aligned threat actors, indicating close operational relationships between multiple APT clusters

  • NetDraft (NosyDoor), a .NET-based backdoor, connects UAT-8302 to at least five other known threat clusters including Jewelbug, Earth Estries, and LongNosedGoblin

  • Post-compromise activity focuses on reconnaissance, credential extraction, and establishing persistent backdoor access through multiple channels

  • Initial access likely obtained through zero-day and n-day exploits in web applications, though specific vectors remain unconfirmed


Background


Cisco Talos has identified UAT-8302 as a sophisticated China-nexus advanced persistent threat group conducting targeted operations against government networks across multiple regions. The group's activity represents a broader trend of collaboration and tool-sharing among Chinese-aligned APT clusters, suggesting either direct coordination or a structured ecosystem where capabilities are distributed among trusted partners.


Interconnected Threat Landscape


The malware deployed by UAT-8302 reveals extensive connections to previously documented threat clusters. NetDraft serves as a primary linking factor, with this .NET-based backdoor appearing in operations attributed to LongNosedGoblin, Earth Estries, and Erudite Mogwai across different regions and targets. ESET tracks the same malware as NosyDoor, while Russian cybersecurity firm Solar identified it as LuckyStrike Agent when deployed against Russian IT organizations.


Beyond NetDraft, UAT-8302 leverages CloudSorcerer version 3.0, a backdoor previously used in 2024 attacks against Russian government entities. The group also deploys DeedRAT (Snappybee), Zingdoor, Draculoader, and SNOWLIGHT stagers alongside custom Rust-based variants called SNOWRUST. This arsenal represents a shared toolset spanning multiple China-nexus APT groups, particularly Earth Estries and Earth Naga.


Attack Methodology


UAT-8302 follows a deliberate operational sequence beginning with initial network access. While specific exploitation vectors remain unclear, the group's tool overlap with known zero-day exploiters suggests reliance on weaponized web application vulnerabilities.


Upon gaining entry, operators conduct systematic reconnaissance using both open-source tools and custom scripts. PowerShell scripts like "whatpc.ps1" automate information gathering across accessible endpoints, collecting system configuration, certificate stores, domain information, and network topology details. These reconnaissance activities are often persisted through scheduled tasks to maintain continuous visibility.


The group demonstrates sophistication in lateral movement, utilizing Impacket and similar red-teaming frameworks to propagate across compromised networks. Reconnaissance commands target domain structures, certificate stores, and network shares to identify high-value targets and movement paths.


Persistence and Post-Exploitation


Following successful reconnaissance and lateral movement, UAT-8302 establishes multiple backdoor access points to ensure persistent presence. Deployment of NetDraft, CloudSorcerer 3.0, and VShell represents the final stage of compromise, with SNOWRUST variants downloading VShell payloads from remote servers for execution.


Beyond malware-based access, operators establish alternative persistence mechanisms using proxy and VPN tools including Stowaway and SoftEther VPN. This redundancy ensures continued access even if one backdoor channel is discovered or disrupted.


Broader Collaborative Ecosystem


UAT-8302's activities underscore a growing trend among Chinese-aligned threat actors toward structured collaboration and service-oriented models. Trend Micro previously identified "Premier Pass-as-a-Service," where Earth Estries obtains initial network access and transfers it to Earth Naga for follow-on exploitation, reducing reconnaissance time and risk exposure. This partnership has operated since at least late 2023.


The limited number of observed incidents combined with substantial exposure risk suggests such access is restricted to a select circle of trusted threat actors. This model represents an evolution in APT operations, moving beyond independent campaigns toward a specialized division of labor that maximizes efficiency while minimizing individual group exposure.


Sources


  • https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html

  • https://blog.talosintelligence.com/uat-8302/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page