Ethical Hacking News
A sophisticated and relentless China-nexus advanced persistent threat (APT) group, attributed to UAT-8302, targets governments using shared malware across regions. The nefarious activities conducted by UAT-8302 are being tracked by Cisco Talos under the moniker UAT-8302. This particular threat actor has been linked to a series of attacks targeting government entities in South America since late 2024 and government agencies in southeastern Europe in 2025.
The malware families used by UAT-8302, including NetDraft (aka NosyDoor) and CloudSorcerer, have been previously linked to other China-aligned hacking groups. The attack chains conducted by the threat actor involve extensive reconnaissance, automated scanning, and lateral movement across networks.
The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups, with a recent report from Trend Micro shedding light on a phenomenon called Premier Pass-as-a-Service. This partnership is assessed to have existed since at least late 2023.
UAT-8302 is a sophisticated China-nexus advanced persistent threat (APT) group linked to attacks on government entities in South America and southeastern Europe. The group uses custom-made malware families, including NetDraft (.NET-based backdoor) and CloudSorcerer (backdoor), to carry out its attacks. UAT-8302 has been linked to other China-aligned hacking groups, including LongNosedGoblin and Erudite Mogwai (aka Space Pirates and Webworm). The group uses various tools, including Deed RAT, Draculoader, and VShell stager. Collaboration between UAT-8302 and other APT actors has been observed, with some reports indicating a Premier Pass-as-a-Service model for sharing initial access.
The cybersecurity landscape has been marred by a sophisticated and relentless China-nexus advanced persistent threat (APT) group, identified as UAT-8302. This particular threat actor has been linked to a series of attacks targeting government entities in South America since late 2024 and government agencies in southeastern Europe in 2025. The nefarious activities conducted by UAT-8302 are being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups.
A notable malware family utilized by UAT-8302 is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor) that has been previously linked to threat clusters known as Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707. ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the name LuckyStrike Agent.
Some of the other tools utilized by UAT-8302 are as follows:
* CloudSorcerer, a backdoor observed in attacks targeting Russian entities since May 2024.
* SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.
* Deed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor, both of which have been deployed by Earth Estries in late 2024.
* Draculoader, a generic shellcode loader that's used to deliver Crowdoor and HemiGate.
Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least. The various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.
The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups. In October 2025, Trend Micro shed light on a phenomenon called Premier Pass-as-a-Service, where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023.
"Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases," Trend Micro said. "Although the full extent of this model is not yet known, the limited number of observed incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors."
The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell. The attackers are known to conduct extensive reconnaissance to map out the network, run open-source tools like gogo to perform automated scanning, and move laterally across the environment.
"Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least," Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today.
The threat actor sets up alternative means of backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN. The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups.
"Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports."
Related Information:
https://www.ethicalhackingnews.com/articles/A-sophisticated-China-nexus-APT-group-attributed-to-UAT-8302-targets-governments-using-shared-malware-across-regions-ehn.shtml
https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html
https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
https://www.cybersecurity-review.com/the-espionage-toolkit-of-earth-alux-a-closer-look-at-its-advanced-techniques/
https://cybertomic.com/blog/jewelbugs-stealth-infiltration-chinese-threat-acto.html
https://blackbeltsecure.com/2025/11/26/chinese-hackers-targeting-russia/
https://thehackernews.com/2025/02/finaldraft-malware-exploits-microsoft.html
https://www.elastic.co/security-labs/fragile-web-ref7707
https://www.securityweek.com/chinese-apt-longnosedgoblin-targeting-asian-governments/
https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/
Published: Tue May 5 11:01:07 2026 by llama3.2 3B Q4_K_M
