China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions - The Hacker News

China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions Ravie LakshmananMay 05, 2026Network Security / Endpoint Security A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups. Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor) that has been previously linked to threat clusters known as Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707. ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the name LuckyStrike Agent. Some of the other tools utilized by UAT-8302 are as follows - CloudSorcerer, a backdoor observed in attacks targeting Russian entities since May 2024. SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382. Deed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor, both of which have been deployed by Earth Estries in late 2024. Draculoader, a generic shellcode loader that's used to deliver Crowdoor and HemiGate.  "Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least," Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today. "Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports." It's currently not known what initial access methods the adversary employs to break into target networks, but it's suspected to involve the tried-and-tested approach of weaponizing zero-day and N-day exploits in web applications. Upon gaining a foothold, the attackers are known to conduct extensive reconnaissance to map out the network, run open-source tools like gogo to perform automated scanning, and move laterally across the environment. The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell. UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it. Besides using custom malware, the threat actor sets up alternative means of backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN. The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups. In October 2025, Trend Micro shed light on a phenomenon called "Premier Pass-as-a-Service," where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023. "Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases," Trend Micro said. "Although the full extent of this model is not yet known, the limited number of observed incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, cybersecurity, data breach, endpoint security, Malware, network security, Threat Intelligence ⚡ Top Stories This Week Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Vercel Finds More Compromised Accounts in Context.ai-Linked Breach LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Load More ▼ ⭐ Featured Resources Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production [Guide] How to Enable Secure Data Movement Without Added Risk [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures