{"id":815,"date":"2026-05-05T16:21:09","date_gmt":"2026-05-05T16:21:09","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=815"},"modified":"2026-05-05T16:21:09","modified_gmt":"2026-05-05T16:21:09","slug":"china-linked-uat-8302-targets-governments-using-shared-apt-malware-across-regions","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=815","title":{"rendered":"China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 05, 2026<\/span><\/span><span class=\"p-tags\">Network Security \/ Endpoint Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhcz8_PjYKknoot4F_PnjDZ7F1HhyphenhyphenIATFohYVF1OQYLSUFwiOPknnFF3ShgQKtKtfOEUbwUcfB-xhQAbi3dBsUvKki_ooKqYmQR3KfzcC1U443sR89JlLu5oPDJcEz9GXfEo5GwtMNj8s7HGg5-qsaR0sqqkSOUBsNFcqrz9NPDPyU6lQNl2RRtADTFzK0f\/s1700-e365\/chinese-hackers-2.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.<\/p>\n<p>The activity is being tracked by Cisco Talos under the moniker <strong><a href=\"https:\/\/blog.talosintelligence.com\/uat-8302\/\">UAT-8302<\/a><\/strong>, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups.<\/p>\n<p>Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor) that has been previously linked to threat clusters known as Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/threatlabz-vpn-risk-2026-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ\/s728-e100\/zz-2-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the name\u00a0<a href=\"https:\/\/rt-solar.ru\/solar-4rays\/blog\/5603\/\">LuckyStrike Agent<\/a>.<\/p>\n<p>Some of the other tools utilized by UAT-8302 are as follows &#8211;<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh5ZpefWFkzSnYQSxJEXGvLV2h-plplUiT5wCJfmhpWlRmMF7ohtykjDm4WUq4WRBilLxH0hc1wUcUhw84yVIX-9XivNiCoUTymvusZUM7SjZP9OFS9OjpR0E88L7Ayyfso9mxZ7k1-ZatkTYVym7JQBGVqtaQ0GzgrHphUboD0zKcD9hs38_-i4EAg3CWi\/s1700-e365\/dots.jpeg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh5ZpefWFkzSnYQSxJEXGvLV2h-plplUiT5wCJfmhpWlRmMF7ohtykjDm4WUq4WRBilLxH0hc1wUcUhw84yVIX-9XivNiCoUTymvusZUM7SjZP9OFS9OjpR0E88L7Ayyfso9mxZ7k1-ZatkTYVym7JQBGVqtaQ0GzgrHphUboD0zKcD9hs38_-i4EAg3CWi\/s1700-e365\/dots.jpeg\" alt=\"\" border=\"0\" data-original-height=\"779\" data-original-width=\"936\"\/><\/a><\/div>\n<p>\u00a0\u00abMalware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least,\u00bb Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today.<\/p>\n<p>\u00abOverall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.\u00bb<\/p>\n<p>It&#8217;s currently not known what initial access methods the adversary employs to break into target networks, but it&#8217;s suspected to involve the tried-and-tested approach of weaponizing zero-day and N-day exploits in web applications.<\/p>\n<p>Upon gaining a foothold, the attackers are known to conduct extensive reconnaissance to map out the network, run open-source tools like\u00a0<a href=\"https:\/\/github.com\/chainreactors\/gogo\">gogo<\/a> to perform automated scanning, and move laterally across the environment. The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it. Besides using custom malware, the threat actor sets up alternative means of backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN.<\/p>\n<p>The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups. In October 2025, Trend Micro shed light on a phenomenon called \u00abPremier Pass-as-a-Service,\u00bb where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023.<\/p>\n<p>\u00abPremier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases,\u00bb Trend Micro said. \u00abAlthough the full extent of this model is not yet known, the limited number of observed incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 05, 2026Network Security \/ Endpoint Security A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least&hellip;<\/p>\n","protected":false},"author":1,"featured_media":816,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1528,479,378,42,1529,1527,78,1526],"class_list":["post-815","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-apt","tag-chinalinked","tag-governments","tag-malware","tag-regions","tag-shared","tag-targets","tag-uat8302"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=815"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/815\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/816"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}