3 malware familiesExploits CVEs in the wild

UAT-6382

Also known asUAT-6382

UAT-6382 is a Chinese-speaking threat actor. Reporting cited in the provided content states that UAT-6382 exploited a Trimble Cityworks zero-day, identified in the content as CVE-2025-0994 and also referenced once as CVE-2025-0944, to deliver Cobalt Strike and VSHELL. The actor has used SNOWLIGHT, a generic stager for the VSHELL malware family. Cisco Talos observed that SNOWLIGHT behavior used by another China-nexus cluster, UAT-8302, shared the same single-byte XOR key (0x99) and stager behavior seen in UAT-6382 activity, indicating tooling overlap. The content also notes that SNOWLIGHT has been used by UNC5174 and UNC6586. No additional aliases or sub-groups for UAT-6382 are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics4 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190×2

Exploit Public-Facing Application

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003

Web Shell

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

VShellSNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.3May 5, 2026

SNOWLIGHTSNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.2May 5, 2026

Cobalt Strike...exploitation ... to deliver Cobalt Strike and VShell.1Mar 8, 2026

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-0944SQL Injection in itsourcecode Tailoring Management System 1.0 customerview.phpIn the wildEvidence1

successfully exploited CVE-2025-0944

CVE-2025-0994Trimble Cityworks Deserialization RCEIn the wildEvidence1

SNOWLIGHT: A generic stager for the VSHELL malware family, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

the hacker newsNews

May 5, 2026

China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

Threat cluster associated with use of the SNOWLIGHT VShell stager.

talos intelligence blogNews

May 5, 2026

UAT-8302 and its box full of malware

Threat cluster observed exploiting a Cityworks zero-day to deploy VSHELL using the SNOWLIGHT stager.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Chinese-speaking intrusion cluster exploiting Trimble Cityworks CVE-2025-0944 to deploy web shells/custom malware and post-exploitation tooling (Cobalt Strike, VShell) for long-term access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.