Skip to main content
Mallory
Back to threat actors
16 malware families

UAT-8302

Also known asuat_8302

UAT-8302 is a sophisticated China-nexus advanced persistent threat group tracked by Cisco Talos. Talos reported that the group has targeted government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. Talos assessed with high confidence that UAT-8302 is tasked primarily with gaining and maintaining long-term access to government and related entities worldwide. Observed post-compromise activity includes deep reconnaissance, credential collection, Active Directory enumeration, lateral movement, proxying, and persistence. Reported tooling includes custom malware and open-source utilities such as Impacket, gogo, QScan, naabu, dddd, httpx, PortQry, adconnectdump.py, AD Explorer, SharpGetUserLoginRDP/SharpGetUserLoginIPRP, MobaXtermDecryptor, Stowaway, anyproxy, and SoftEther VPN. Malware associated with UAT-8302 includes NetDraft, CloudSorcerer v3, VSHELL, SNOWLIGHT, SNOWRUST, SNAPPYBEE/DeedRAT, ZingDoor, and Draculoader. NetDraft is a .NET backdoor delivered via DLL side-loading and communicates through the Microsoft Graph API with a OneDrive-based command-and-control channel; Talos links it to the FinalDraft/SquidDoor family and notes ESET tracks related activity as NosyDoor used by LongNosedGoblin. CloudSorcerer v3 was observed using named pipes or retrieving command-and-control information from GitHub depending on the host process. SNOWRUST is a Rust-based variant of the SNOWLIGHT stager used to download and execute VSHELL. In at least one intrusion, UAT-8302 deployed SNAPPYBEE together with ZingDoor. Cisco Talos assessed with high confidence that UAT-8302 shares tooling with previously disclosed China-nexus clusters and indicated a close operational relationship with LongNosedGoblin. The reporting also notes tooling overlap with activity associated with Jewelbug/REF7707/CL-STA-0049, Earth Estries, Earth Naga, UNC5174, UNC6586, and UAT-6382. The exact initial access vector is not known; Talos suspects exploitation of zero-day and N-day vulnerabilities in web applications. Known aliases and related names mentioned in the reporting include UAT-8302, NetDraft/NosyDoor, SNAPPYBEE/DeedRAT, and FinalDraft/SquidDoor.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics46 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595×2
Active Scanning
TA0001
Initial Access
2 techniques
T1133
External Remote Services
T1190×2
Exploit Public-Facing Application
TA0002
Execution
4 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059×2
Command and Scripting Interpreter
T1059.001
PowerShell
T1559
Inter-Process Communication
T1559.001×2
Component Object Model
TA0003
Persistence
2 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1133
External Remote Services
TA0004
Privilege Escalation
2 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1055×2
Process Injection
TA0005
Stealth
4 techniques
T1055×2
Process Injection
T1070
Indicator Removal
T1070.004
File Deletion
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
TA0006
Credential Access
2 techniques
T1003
OS Credential Dumping
T1555
Credentials from Password Stores
TA0007
Discovery
10 techniques
T1007
System Service Discovery
T1018
Remote System Discovery
T1033
System Owner/User Discovery
T1046×3
Network Service Discovery
T1069
Permission Groups Discovery
T1082×2
System Information Discovery
T1087
Account Discovery
T1135
Network Share Discovery
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002
SMB/Windows Admin Shares
TA0009
Collection
1 technique
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1090×3
Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1102
Web Service
T1105×3
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
ARSENAL

Associated malware families

16 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CloudSorcererThe group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant.3May 7, 2026
NetDraftThe group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant.3May 7, 2026
SNOWRUSTTalos also noted the use of SNOWRUST, a Rust-based variant of the SNOWLIGHT stager seen in intrusions attributed to other China-nexus clusters.3May 7, 2026
VShellThe group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant.3May 7, 2026
DraculoaderIndicators of Compromise (IoCs):- ... SHA256 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c DracuLoader2May 7, 2026

11 additional families tracked in Mallory.

IOCS

Observables

45 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

45 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
May 7, 2026
UAT-8302 Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies

China-nexus espionage group conducting long-term intrusions against government and related entities, especially in South America and southeastern Europe, using custom malware, open-source tools, credential harvesting, reconnaissance, persistence tooling, and stealthy cloud-based command-and-control.

Read more
the hacker newsNews
May 5, 2026
China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

China-nexus espionage activity targeting government organizations, using shared/custom malware and post-exploitation tooling associated with other China-aligned clusters.

Read more
talos intelligence blogNews
May 5, 2026
UAT-8302 and its box full of malware

China-nexus espionage group focused on obtaining and maintaining long-term access to government and related entities worldwide. It conducts reconnaissance, credential extraction, lateral movement/proliferation, and deploys multiple custom malware families including NetDraft, CloudSorcerer v3, VSHELL, SNOWLIGHT, SNOWRUST, DeedRAT/SNAPPYBEE, ZingDoor, and Draculoader.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping33

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal16

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables45

Domains, IPs, and hashes tied to this actor, refreshed continuously.