Espionage1 malware family

Earth Naga

Also known asEarth Naga

Earth Naga is a China-aligned advanced persistent threat group. The provided content directly links it to targeting government agencies in Southeast Asia and describes it as part of a collaborative operating model with another China-aligned actor, Earth Estries. Trend Micro reported a "Premier Pass-as-a-Service" relationship in which Earth Estries acts as an access broker and passes initial access to Earth Naga for follow-on exploitation; this partnership was assessed to have existed since at least late 2023. The content also states that this model reduces time spent on reconnaissance, initial exploitation, and lateral movement and is likely restricted to a small circle of threat actors. Earth Naga is also noted as a user of Draculoader, a generic shellcode loader that has been used by Earth Estries and Earth Naga. Known alias in the provided content: earth_naga.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DraculoaderDraculoader: A generic shellcode loader deployed by UAT-8302, also used by the Earth Estries and Earth Naga APT groups...1May 5, 2026

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

the hacker newsNews

May 5, 2026

China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

Threat actor receiving initial access from Earth Estries for subsequent exploitation activity.

talos intelligence blogNews

May 5, 2026

UAT-8302 and its box full of malware

APT group referenced as using Draculoader and historically targeting government agencies in Southeast Asia and elsewhere.

ctoatncsc substackNews

Oct 25, 2025

CTO at NCSC Summary: week ending October 26th

China-aligned cyberespionage actor described collaborating with another China-aligned group via access-brokering (‘pass-as-a-service’) to enable continued exploitation; targets include government and telecommunications, with recent focus on retail and government-related orgs in APAC.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.