UAT-8302 APT Targets South American and European Governments

Cisco Talos published a report on May 5, 2026, identifying UAT-8302 as a China-linked advanced persistent threat group that targeted government entities in South America from late 2024 and government agencies in southeastern Europe in 2025. After gaining access, the group carried out reconnaissance, credential theft and lateral movement to retain access to networks.

Talos described initial access methods that included exploitation of exposed services and reuse of n-day and zero-day techniques. Once inside, operators ran automated discovery and enumeration tools, used PowerShell scripts to inventory systems, and extracted Active Directory and log data with utilities such as adconnectdump and AD Explorer. The actors frequently established persistence with scheduled tasks and used proxy and VPN tools to tunnel traffic out of victim environments.

The intrusions relied on a side-loading pattern: a legitimate executable, a malicious DLL loader and an embedded data file containing the implant. Talos observed NetDraft, a C# .NET backdoor that communicates via Microsoft Graph and OneDrive-based infrastructure. CloudSorcerer version 3 was used to decrypt an embedded payload and inject shellcode into benign processes; it obtained command-and-control information from GitHub repositories or public profiles. VSHELL appeared in other intrusions and was delivered with a SNOWLIGHT stager; Talos also identified a Rust-based stager called SNOWRUST that decodes and launches the same payloads. In one case VSHELL loaded a Windows kernel driver from the Hades HIDS project, giving the actor low-level visibility into process, thread, registry and file events.

Talos reported additional remote access and scanning tools deployed by the group, including Draculoader, SNAPPYBEE/DeedRAT, ZingDoor, Stowaway, Anyproxy and SoftEther VPN clients. The report noted overlaps between UAT-8302 tooling and tools previously observed with other China-linked clusters, and identified shared use of stagers such as SNOWLIGHT in separate campaigns.

On infected networks the group performed deep enumeration: querying AD users and computers, collecting event logs and snapshots, scanning for open SMB shares and harvesting credentials from applications such as MobaXterm. These actions were scripted and automated; the actors used scheduled tasks, WMIC and remote process creation to propagate and execute payloads. Talos also observed the actors using legitimate cloud services and public providers to store command metadata and host next-stage payloads.

The report includes indicators of compromise: file hashes, domains and IP addresses, plus detection material such as ClamAV signatures and Snort rules. Talos provided full IOCs on its GitHub repository. In its report Talos wrote: “Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world.”

Talos linked UAT-8302 to previously documented activity by China-linked clusters that targeted governments and critical infrastructure in Southeast Asia, Japan and Russia, and noted reuse of loaders, stagers and cloud-based command channels across those incidents.