"Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least," Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White wrote in a technical report published today.
Cisco Talos identifies UAT-8302 and its geographic focus
Cisco Talos is tracking a sophisticated, China-nexus advanced persistent threat (APT) cluster under the label UAT-8302. According to the Talos report, the group has been observed targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. Post-exploitation activity attributed to UAT-8302 includes deployment of custom-made malware families that overlap with tooling used by other China-aligned actors.
NetDraft/NosyDoor/FINALDRAFT: a shared backdoor across clusters
One of the most notable artifacts tied to UAT-8302 is a .NET-based backdoor called NetDraft (also referred to as NosyDoor). Talos describes this as a C# variant of FINALDRAFT (aka Squidoor). Industry reporting links FINALDRAFT variants to multiple clusters named Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707. ESET has been tracking the use of NosyDoor to a group it calls LongNosedGoblin, while Russian cybersecurity company Solar observed the same malware family deployed by an actor it calls Erudite Mogwai (aka Space Pirates and Webworm), labeling the component LuckyStrike Agent. The cross-label reuse of NetDraft/NosyDoor is a central piece of Talos's argument that UAT-8302 operates in close technical proximity to other groups.
Toolset inventory: CloudSorcerer, SNOWLIGHT/SNOWRUST, Deed RAT, Draculoader and more
Talos cataloged a range of additional tooling used by UAT-8302 that mirrors capabilities seen across other China-aligned clusters. Those include:
- CloudSorcerer, a backdoor Talos notes has been observed in attacks against Russian entities since May 2024.
- SNOWLIGHT, a VShell stager known to be used by UNC5174, UNC6586, and UAT-6382; Talos also observed a Rust-based variant called SNOWRUST that downloads the VShell payload from a remote server and executes it.
- Deed RAT (aka Snappybee), described as a successor of ShadowPad, and Zingdoor—both reported deployed by Earth Estries in late 2024.
- Draculoader, a generic shellcode loader that Talos says is used to deliver Crowdoor and HemiGate.
Talos specifically highlights the deployment end-state for many intrusions as NetDraft, CloudSorcerer (version 3.0), and VShell.
Observed tactics: reconnaissance, lateral movement, and alternate backdoors
The report does not assert a definitive initial access vector. Talos says it is not currently known how UAT-8302 gains initial entry, but notes suspicion that the actor weaponizes zero-day and N-day web application exploits. Once inside, the adversary conducts extensive reconnaissance, including automated scanning with open-source tools such as gogo, and performs lateral movement across networks. In addition to custom malware, the group has set up alternate persistence and access channels using proxy and VPN tools like Stowaway and SoftEther VPN.
What this means for technologists, policymakers, and affected governments
- Technologists and security teams: Expect to prioritize detection for NetDraft/NosyDoor activity, CloudSorcerer (v3.0), VShell stager behavior, and indicators related to SNOWRUST and gogo scanning. The reuse of shared toolsets across clusters makes signature- and tooling-based attribution more complex and raises the importance of behavioral detection.
- Policymakers and regulators: The Talos findings align with Trend Micro reporting about a "Premier Pass-as-a-Service" model (described in October 2025) in which initial access obtained by one cluster—Earth Estries—is passed to others such as Earth Naga. Trend Micro noted: "Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases," and warned that the model "suggests that access is likely restricted to a small circle of threat actors."
- Affected governments in South America and southeastern Europe: The presence of cross-cluster tooling and alternate VPN/proxy access channels increases the operational risk to government environments. Talos's linkage of artifacts like NetDraft, SNOWLIGHT/SNOWRUST, CloudSorcerer, and Deed RAT to UAT-8302 provides a focused set of telemetry to monitor during incident response and hunting.
The Talos report paints a picture of a group that does not operate in isolation: UAT-8302 appears to wield a toolkit shared with or borrowed from multiple other, China-aligned clusters. That shared tooling shortens the window from foothold to high-impact capability and complicates efforts to trace responsibility, while the report leaves an important technical question open — which specific web application zero-days or N-days, if any, are enabling the initial access Talos suspects? Until that gap is closed, defenders will be tracking familiar payloads while the vectors that place them in play remain uncertain.
