2026-05-05 00:00
β BackA sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the monikerUAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups. Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant ofFINALDRAFT(aka Squidoor) that has been previously linked to threat clusters known asInk Dragon,CL-STA-0049, Earth Alux,Jewelbug, andREF7707. ESET is tracking the use of NosyDoor to a group it callsLongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to asErudite Mogwai(aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the nameLuckyStrike Agent. Some of the other tools utilized by UAT-8302 are as follows - "Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least," Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today. "Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated...
A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the monikerUAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups. Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant ofFINALDRAFT(aka Squidoor) that has been previously linked to threat clusters known asInk Dragon,CL-STA-0049, Earth Alux,Jewelbug, andREF7707. ESET is tracking the use of NosyDoor to a group it callsLongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to asErudite Mogwai(aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the nameLuckyStrike Agent. Some of the other tools utilized by UAT-8302 are as follows - "Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least," Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today. "Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports." It's currently not known what initial access methods the adversary employs to break into target networks, but it's suspected to involve the tried-and-tested approach of weaponizing zero-day and N-day exploits in web applications. Upon gaining a foothold, the attackers are known to conduct extensive reconnaissance to map out the network, run open-source tools likegogoto perform automated scanning, and move laterally across the environment.
The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell. UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it. Besides using custom malware, the threat actor sets up alternative means of backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN. The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups. In October 2025, Trend Micro shed light on a phenomenon called "Premier Pass-as-a-Service," where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023. "Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases," Trend Micro said. "Although the full extent of this model is not yet known, the limited number ofobserved incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors." Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.