A China linked advanced persistent threat group identified as UAT 8302 has been associated with a series of cyber operations targeting government entities in South America since late 2024 and extending to southeastern Europe in 2025. The activity was tracked by Cisco Talos, which highlighted the group’s use of a range of custom malware tools that are also known to be deployed by other China aligned threat actors. Researchers noted that this overlap in tooling indicates a level of coordination or shared access among multiple sophisticated groups operating within the same ecosystem.
One of the key tools observed in these operations is a .NET based backdoor known as NetDraft, also referred to as NosyDoor. This malware is a C sharp variant of FINALDRAFT and has previously been linked to several threat clusters including Ink Dragon, CL STA 0049, Earth Alux, Jewelbug, and REF7707. Security firms have tracked its usage across different regions and threat actors, with ESET associating it with a group called LongNosedGoblin. Additionally, the same malware has been identified in attacks on Russian IT organizations by a group referred to as Erudite Mogwai, also known as Space Pirates and Webworm, where it has been labeled LuckyStrike Agent by Russian cybersecurity firm Solar.
Further analysis shows that UAT 8302 employs a diverse toolkit that includes CloudSorcerer, a backdoor seen in attacks on Russian entities since May 2024, and SNOWLIGHT, a VShell stager previously linked to multiple threat groups such as UNC5174, UNC6586, and UAT 6382. The group also utilizes Deed RAT, also known as Snappybee, which is considered a successor to ShadowPad, along with Zingdoor, both of which have been used in operations attributed to Earth Estries in late 2024. Another tool in its arsenal is Draculoader, a shellcode loader designed to deliver additional payloads such as Crowdoor and HemiGate. Researchers emphasized that the presence of these tools suggests that UAT 8302 has access to a shared pool of malware commonly associated with China nexus actors.
While the exact method used by the group to gain initial access remains unclear, experts believe it likely involves exploitation of zero day and N day vulnerabilities in web applications. Once inside a target network, the attackers conduct detailed reconnaissance, using open source utilities like gogo to scan systems and map network structures. This is followed by lateral movement across compromised environments, eventually leading to deployment of payloads such as NetDraft, CloudSorcerer version 3.0, and VShell. The group has also been observed using a Rust based variant of SNOWLIGHT called SNOWRUST to retrieve and execute VShell from remote servers, further demonstrating its technical adaptability.
In addition to custom malware, UAT 8302 establishes alternative access mechanisms through proxy and virtual private network tools including Stowaway and SoftEther VPN. These techniques allow persistent access and complicate detection efforts. The findings also align with a broader trend of collaboration among China aligned threat groups. In October 2025, Trend Micro described a model referred to as Premier Pass as a Service, where initial access obtained by one group such as Earth Estries is handed off to another group like Earth Naga for further exploitation. This approach reduces the time required for reconnaissance and intrusion, while also limiting exposure by restricting access to a small network of actors. The activity linked to UAT 8302 reflects how shared resources and coordinated tactics continue to shape the evolving landscape of advanced cyber operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
