UAT-8302 uses shared malware to breach government agencies
China-linked APT UAT-8302 deployed NetDraft, CloudSorcerer and SNOWLIGHT/SNOWRUST to breach government agencies in South America from late 2024 and in southeastern Europe in 2025.
Cisco Talos attributed a series of intrusions to a China-linked advanced persistent threat it tracks as UAT-8302. The group used multiple shared malware families, including the .NET backdoor NetDraft (NosyDoor), CloudSorcerer and SNOWLIGHT/SNOWRUST, against government agencies in South America beginning in late 2024 and in southeastern Europe in 2025.
NetDraft is a C# variant of FINALDRAFT (also called Squidoor). Talos noted the backdoor has appeared in operations tied to several China-aligned clusters. Security firms have observed the same or similar backdoors under different names when used by different actors.
Talos investigators have not confirmed the exact initial access vector. They say initial access likely involves weaponized web-application flaws, including zero-day and known N-day exploits. After gaining a foothold, the actors run broad reconnaissance, use automated scanning tools such as gogo to map networks, and move laterally to identify high-value targets.
At later stages the attackers install persistent backdoors. Talos reported NetDraft, CloudSorcerer version 3.0 and VShell among the end-stage payloads. The group used a VShell stager known as SNOWLIGHT and a Rust-based variant called SNOWRUST that downloads and executes the VShell payload.
Other components observed in UAT-8302 activity include Deed RAT (also tracked as Snappybee), loaders such as Zingdoor and Draculoader, and payloads delivered by those loaders like Crowdoor and HemiGate. The actor also deployed proxy and VPN tools, including Stowaway and SoftEther VPN, to maintain redundant access paths and obscure connections.
Talos researchers wrote that the malware deployed by UAT-8302 links the actor to several previously disclosed threat clusters and shows the group has access to tools used by other China-aligned actors. Security researchers have described a model, sometimes called ‘Premier Pass-as-a-Service,’ in which initial access obtained by one operator is passed to another for follow-on exploitation; instances of that model date back to at least late 2023.
Talos’ timeline places the earliest UAT-8302 intrusions in South America in late 2024, with activity expanding into southeastern Europe in 2025. The reuse of the same malware families and loaders across different campaigns is noted in Talos’ analysis.
