Cisco Talos Exposes UAT-8302: China APT Armed With Shared Malware

Cisco Talos has disclosed UAT-8302, a China-nexus advanced persistent threat group that has been targeting government entities across South America since late 2024 and southeastern European agencies throughout 2025. The group deploys an arsenal of custom malware that overlaps with tools used by multiple other Chinese APT clusters—suggesting either shared development resources or deliberate tool sharing among Beijing-aligned operators.

Talos assesses with high confidence that UAT-8302 focuses on obtaining and maintaining long-term access to government networks for espionage purposes. The campaigns share characteristics with other China-linked operations we've tracked, though UAT-8302 appears to operate as a distinct cluster.

The Malware Arsenal

UAT-8302 deploys multiple backdoors and loaders across victim networks:

NetDraft - A .NET-based backdoor that represents a C# port of the FINALDRAFT (also known as SquidDoor) malware family. NetDraft communicates with command-and-control infrastructure through Microsoft's Graph API, routing traffic through OneDrive to blend with legitimate cloud activity. The malware was previously associated with threat clusters tracked as Ink Dragon, CL-STA-0049, Earth Alux, and REF7707.

CloudSorcerer v3 - An updated version of a backdoor Kaspersky first documented in attacks against Russian government entities in 2024. CloudSorcerer supports both OneDrive and GitHub-based C2 channels, providing redundancy if one platform blocks the attacker's infrastructure.

VShell - A remote access trojan delivered through SNOWRUST, a Rust-based variant of the SNOWLIGHT loader. VShell provides persistent access and supports file operations, command execution, and network tunneling.

The group also deploys DeedRAT, ZingDoor, and Draculoader—a shellcode loader that helps evade endpoint detection.

Attack Chain

Initial access appears to involve zero-day and N-day exploits against internet-facing web applications, though Talos did not disclose specific vulnerabilities. Once inside, UAT-8302 follows a methodical playbook:

1. Reconnaissance - Operators use gogo, an open-source scanning tool, for automated network enumeration
2. Credential theft - Scripts like adconnectdump.py extract credentials from Active Directory environments
3. Lateral movement - WMI and scheduled tasks enable movement across network segments
4. Persistence - Malicious scheduled tasks maintain access through reboots
5. Tunneling - Stowaway and anyproxy create encrypted channels for data exfiltration

The reconnaissance phase includes extensive log and audit policy enumeration—likely to understand what defensive visibility exists before conducting noisier operations.

Infrastructure and Attribution

Talos identified several C2 domains associated with UAT-8302:

• drivelivelime.com
• msiidentity.com
• trafficmanagerupdate.com

Command-and-control servers span IP addresses across multiple hosting providers: 85.209.156.3, 185.238.189.41, 103.27.108.55, and 38.54.32.244.

The overlapping tooling with other Chinese APT groups raises questions about operational relationships. NetDraft's lineage connects to at least five distinct threat clusters. CloudSorcerer appeared in operations against Russian targets. VShell has been used by Chinese-speaking actors across multiple campaigns. Either UAT-8302 has access to a shared development pipeline, or Chinese APT groups are deliberately exchanging tools to complicate attribution.

Why This Matters

UAT-8302's targeting of South American governments represents an expansion of Chinese cyber espionage into regions historically less affected by Beijing's intelligence operations. The southeastern European focus aligns with strategic interests around EU policy and NATO coordination.

Government agencies in targeted regions should audit for the indicators Talos published, which include 40+ file hashes covering NetDraft, VShell, and associated scanning tools. The use of legitimate cloud services for C2 makes network-based detection challenging—endpoint visibility becomes critical.

For organizations dealing with nation-state threats, understanding APT tradecraft helps prioritize defenses. Security teams can explore threat actor tactics in depth through resources like our recommended cybersecurity books, which cover historical campaigns from Russian and Chinese operators.

Detection Resources

Cisco released ClamAV signatures (33+) and Snort rules (40+ SIDs) for UAT-8302's malware families. Organizations using Cisco security products should ensure signature updates are applied.