A highly advanced cyber espionage group with ties to China has been linked to a wave of attacks against government institutions in South America and southeastern Europe, according to new findings from Cisco Talos.
The threat group, tracked as UAT-8302, has reportedly been active since late 2024, with operations continuing into 2025. Researchers say the group uses a mix of custom malware and shared tools commonly seen among other China-aligned hacking operations.
Shared Malware Signals Broader Collaboration
One of the key tools identified in these attacks is a .NET-based backdoor known as NetDraft (also called NosyDoor). This malware is a modified version of an earlier tool called FINALDRAFT and has previously been linked to several known threat clusters.
Security researchers note that this same malware family has appeared in campaigns tied to groups such as Ink Dragon, Earth Alux, and others, suggesting overlap or cooperation between multiple actors.
For example:
- ESET attributes NosyDoor activity to a group it calls LongNosedGoblin
- Russian firm Solar has observed similar tools used by another actor known as Erudite Mogwai
This reuse of tools across different campaigns points to a shared ecosystem rather than isolated operations.
Arsenal of Advanced Tools
Beyond NetDraft, UAT-8302 relies on several other sophisticated tools, including:
- CloudSorcerer – a backdoor previously used in attacks on Russian targets
- SNOWLIGHT – a loader used to deploy remote shells like VShell
- Deed RAT (Snappybee) – an evolution of the ShadowPad malware family
- Draculoader – used to deliver additional payloads such as Crowdoor and HemiGate
Researchers believe this wide toolset highlights access to a broader pool of malware typically used by well-funded APT groups.
Attack Method and Behavior
While the exact entry point remains unclear, analysts suspect the attackers rely on exploiting vulnerabilities in web applications, including both zero-day and known flaws.
Once inside a network, the group follows a structured approach:
- Reconnaissance – mapping systems and identifying valuable targets
- Scanning – using tools like gogo to automate discovery
- Lateral Movement – spreading across systems within the network
- Payload Deployment – installing backdoors such as NetDraft and CloudSorcerer
In some cases, a Rust-based version of SNOWLIGHT, known as SNOWRUST, is used to fetch and execute remote payloads.
Persistence and Evasion Techniques
To maintain long-term access, UAT-8302 also deploys proxy and VPN-based tools such as Stowaway and SoftEther VPN. These tools help the attackers stay hidden and regain access even if initial entry points are removed.
Growing Trend of “Access Sharing” Among Hackers
The findings also highlight a broader shift in how advanced threat groups operate. According to Trend Micro, some China-linked groups are now working together through a model known as “Premier Pass-as-a-Service.”
In this setup, one group gains initial access to a target network and then hands it off to another group for further exploitation. This reduces the time needed to carry out attacks and makes attribution more difficult.
Researchers believe this model has been in use since at least 2023, although it appears limited to a small circle of highly trusted threat actors due to the risks involved.
What This Means
The activity linked to UAT-8302 shows how modern cyber espionage campaigns are becoming more coordinated and resource-sharing driven. For governments and organizations, this increases the difficulty of detection and response.
Security teams are advised to strengthen monitoring, patch vulnerabilities quickly, and watch for unusual lateral movement or outbound connections that may indicate hidden backdoors.