A sophisticated China-nexus advanced persistent threat (APT) group, tracked as UAT-8302 by Cisco Talos, has been linked to cyber espionage campaigns targeting government entities in South America since late 2024 and government agencies in southeastern Europe throughout 2025. The group’s operations involve the deployment of custom malware families, some of which have been previously associated with other China-aligned hacking operations, indicating a complex network of threat actor collaboration. The sustained activity underscores a growing threat to governmental infrastructure in both regions.
These findings highlight the evolving tactics of nation-state sponsored actors and their persistent efforts to gain access to sensitive governmental data. The attribution to China-nexus groups suggests a strategic interest in the targeted regions, potentially for intelligence gathering or political influence. The use of shared malware families points to a coordinated or at least a highly interconnected threat landscape, making attribution and defense increasingly challenging for cybersecurity professionals.
UAT-8302: A Sophisticated China-Aligned Threat Actor
Cisco Talos researchers have identified UAT-8302 as a formidable adversary, noting its use of advanced techniques and custom malware. The group’s post-exploitation activities are characterized by the deployment of diverse malicious tools, many of which have been documented in association with other China-aligned threat clusters. This shared infrastructure and tooling suggests a high degree of operational synergy between different APT groups operating under the broader China-nexus umbrella.
One of the key malware families employed by UAT-8302 is NetDraft, a .NET-based backdoor also known as NosyDoor. This malware is a C# variant of FINALDRAFT (Squidoor), which has previously been linked to prominent threat clusters including Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707. The ESET cybersecurity firm further tracks the use of NosyDoor to a group it identifies as LongNosedGoblin. Notably, the same malware has also been observed in attacks against Russian IT organizations, attributed by Russian company Solar to a threat actor named Erudite Mogwai (Space Pirates, Webworm) and dubbed LuckyStrike Agent.
Malware Families and Tooling
The malware landscape utilized by UAT-8302 is extensive and showcases adaptation and reuse of existing tools. Beyond NetDraft/NosyDoor, the group has been observed employing CloudSorcerer (version 3.0) and VShell. Researchers have also documented their use of SNOWRUST, a Rust-based variant of the SNOWLIGHT malware, specifically for downloading and executing VShell payloads from remote servers.
In addition to their custom malware arsenal, UAT-8302 establishes alternative backdoor access channels using readily available proxy and VPN tools such as Stowaway and SoftEther VPN. This multi-pronged approach to maintaining persistence and establishing command and control further enhances their operational resilience.
“Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least,” stated Cisco Talos researchers in their technical report. “Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.”
While the initial access vectors employed by UAT-8302 remain under investigation, security experts suspect the utilization of weaponized zero-day and N-day exploits targeting web applications. Once inside a network, the attackers are known to conduct thorough reconnaissance, employing open-source tools like gogo for automated scanning and extensively mapping out the network topology. This preparatory phase allows them to move laterally and effectively within the compromised environment, setting the stage for the final payload deployment.
Emerging Collaboration Tactics in the APT Landscape
The findings related to UAT-8302’s operations are indicative of a broader trend towards advanced collaboration tactics among multiple China-aligned threat groups. This pattern was further illuminated by Trend Micro in October 2025, which detailed a phenomenon termed “Premier Pass-as-a-Service.” Under this model, initial access gained by one group, such as Earth Estries, is effectively transferred to another, like Earth Naga, for subsequent exploitation and attrition efforts. This partnership is believed to have been operational since at least late 2023.
“Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases,” Trend Micro observed. “Although the full extent of this model is not yet known, the limited number of observed incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors.”
The continuous refinement of these collaborative strategies by China-nexus APT groups poses a significant and evolving challenge to global cybersecurity defenses. The ability to share access, tools, and intelligence allows these actors to operate with greater efficiency and stealth, making them a persistent threat to government and critical infrastructure entities worldwide. Future threat intelligence will likely focus on dissecting these inter-group dynamics to better anticipate and counter their evolving attack methodologies.