China-linked APT UAT-8302 Deploys .NET, Rust Malware

Cisco Talos reported that UAT-8302, a China-linked advanced persistent threat group, used custom .NET and Rust malware to compromise government agencies in South America beginning in late 2024 and in southeastern Europe during 2025. The actor combined custom backdoors and open-source tools to gain and maintain access.

NetDraft is a C# .NET backdoor related to the FinalDraft/SquidDoor family. It uses the Microsoft Graph API and OneDrive as a command-and-control channel and includes an embedded helper library called FringePorch. NetDraft can execute .NET assemblies, manage files, upload and download data, and run system commands. Because NetDraft lacks built-in persistence, operators typically create scheduled tasks under the SYSTEM account to survive reboots.

CloudSorcerer version 3 followed a three-part side-loading chain: a benign executable, a malicious DLL loader, and an encrypted payload file. The decrypted payload injects into different processes depending on the host, sometimes into explorer.exe or into system services, and obtains command-and-control information from public repositories or actor-controlled data blobs. CloudSorcerer v3 can enumerate disks, manage files, execute received shellcode and collect basic system metadata.

The group delivered VSHELL via a stager called SNOWLIGHT that downloads an XOR-encoded payload using the single-byte key 0x99. A Rust variant of the stager, tracked as SNOWRUST, decodes embedded shellcode and executes it to retrieve the final VSHELL implant. In at least one intrusion VSHELL deployed a native kernel driver derived from an open-source monitoring framework, registering callbacks for process, registry and file events.

Initial access used both zero-day and known vulnerability exploits and benign executables that side-load malicious DLL loaders. In several incidents attackers used a chain of legitimate EXE, a malicious DLL loader and an encrypted implant file. Implants retrieve commands by querying legitimate services or by reading actor-controlled blobs on public platforms. Persistence was often established by creating scheduled tasks running as SYSTEM.

For discovery and lateral movement the operators used open-source tools and native Windows features, including Impacket for remote execution, WMI and schtasks for remote process creation, PowerShell scripts for endpoint profiling, and adconnectdump and native Get-AD queries for Active Directory data. Network scanners observed in the intrusions included gogo, QScan, naabu and httpx.

The intrusions also used short-lived or shared tools: operators ran DeedRAT/SNAPPYBEE briefly before switching to ZingDoor in one case, used Draculoader for shellcode loading, and reused widely available scanning and pivoting utilities. Cisco Talos linked several of the deployed artifacts to other China-nexus clusters and published details that map tool overlap across those clusters.

After access the actors collected event logs and Active Directory snapshots and set up proxy and VPN clients on compromised hosts using tools such as Stowaway, anyproxy and SoftEther to create resilient channels. Cisco Talos published indicators of compromise, detection signatures, ClamAV signatures, Snort rule IDs and a repository of artifacts tied to the campaign.