China-linked UAT-8302 Deploys NetDraft and CloudSorcerer

Cisco Talos disclosed that a China-linked advanced persistent threat tracked as UAT-8302 deployed multiple custom backdoors and open-source tools in campaigns that began against government agencies in South America in late 2024 and expanded to southeastern Europe in 2025. The firm identified a mix of proprietary malware, public services used as command-and-control, and standard red-team tooling in the intrusions.

Initial access methods included exploitation of both zero-day and known vulnerabilities and traditional intrusion techniques. After access, the operators conducted broad reconnaissance with Impacket, scripted PowerShell utilities and automated scanners to inventory domain resources, enumerate users and machines, and extract credentials. Talos observed the group using a Chinese-language Go scanner as well as commonly used tools such as naabu and httpx to map internal services.

For lateral movement and persistence, UAT-8302 used remote process creation, WMI, scheduled tasks and Impacket to push BAT and PowerShell scripts to additional hosts. The actors employed credential-dumping utilities, scripts for Azure AD Connect credential extraction, and tools to pull SSH client credentials. They also harvested event logs and Active Directory snapshots to locate high-value accounts and system configurations.

NetDraft is a .NET backdoor Talos identified as a variant of a known family. The implant was deployed via DLL sideloading: a legitimate executable loads a malicious DLL that decodes the backdoor from an accompanying data file and runs it inside the process. NetDraft communicates using Microsoft Graph and OneDrive mechanisms, can execute .NET assemblies and plugins, transfer files and run remote commands, and is commonly instructed to create scheduled tasks to maintain persistence. An embedded helper library tracked as FringePorch is decompressed at runtime to perform endpoint operations.

CloudSorcerer v3 was also deployed in several intrusions. That backdoor uses a side-loading triad-benign executable, malicious loader DLL and encrypted data file-that decrypts shellcode and injects it into trusted processes. CloudSorcerer retrieves command-and-control details from legitimate public services by reading repository or profile data blobs or decoding service access tokens. Depending on the host process, the implant can inject into other processes, enumerate files, execute commands, collect system information and receive shellcode over named pipes.

The group used lightweight downloaders and stagers, including SNOWLIGHT and a Rust-based variant called SNOWRUST that decodes and runs SNOWLIGHT shellcode to deliver the VSHELL payload. In at least one intrusion, operators installed a native driver from an open-source Windows host-monitoring project to register callbacks for process, thread, registry and file events.

Other observed tooling included DeedRAT/SNAPPYBEE followed by ZingDoor, and a generic shellcode loader known as Draculoader. The operators set up proxy tunnels and VPN clients on infected systems using Stowaway implementations, anyproxy and SoftEther. Command-and-control infrastructure included domains, IP addresses and cloud-hosted accounts used as repositories for commands, payloads and access tokens. Cisco Talos published indicators of compromise and detection rules to help defenders identify related activity.