Cisco Talos attributes a China-nexus APT tracked as UAT-8302 to attacks on South American governments since late 2024 and southeastern European agencies in 2025, with post-exploitation marked by deployment of custom malware. The group uses tools such as the .NET backdoor NetDraft (NosyDoor), CloudSorcerer, VShell and SNOWRUST, and appears to share access and tooling with other China-aligned actors under models like βPremier Pass-as-a-Service.β #UAT-8302 #NetDraft
Keypoints
- UAT-8302 has targeted government entities in South America since late 2024 and southeastern Europe in 2025.
- Post-exploitation activity includes deployment of custom malware such as NetDraft (NosyDoor), CloudSorcerer v3.0, and VShell.
- NetDraft is a .NET/C# backdoor linked to multiple China-aligned clusters, including associations reported as LongNosedGoblin and Ink Dragon.
- The attackers use SNOWRUST to retrieve VShell and employ proxy/VPN tools like Stowaway and SoftEther for persistent access.
- Initial access is suspected to involve weaponized zero-day and N-day web application exploits, and attackers demonstrate inter-group collaboration via βPremier Pass-as-a-Service.β
Read More: https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html