Attacks by advanced persistent threat (APT) groups aligned with China are believed to target government agencies in South America from at least late 2024 onwards, and in southeastern Europe by 2025.
This activity is being tracked by Cisco Talos as UAT-8302, and post-exploitation activity includes the deployment of a custom-made malware family used by other China-aligned hacker groups.
Notable among the malware family is a .NET-based backdoor called NetDraft (also known as NosyDoor). This is a C# variant of FINALDRAFT (also known as Squidoor), which has previously been linked to threat clusters known as Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707.
ESET is tracking the use of NosyDoor against a group called LongNosed Goblins. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor called Erudite Mogwai (also known as Space Pirate and Webworm), which has taken the name LuckyStrike Agent, according to Russian cybersecurity company Solar.
Some of the other tools used with UAT-8302 are:
“The malware deployed by UAT-8302 connects it to several previously disclosed threat clusters, indicating at least a close operational relationship between them,” Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White wrote in a technical report published today.
“Overall, the variety of malicious artifacts deployed by UAT-8302 indicates that this group has access to tools used by other advanced APT actors, all of which have been assessed by various third-party industry reports to be Chinese-linked or Chinese-speaking tools.”
It is currently unclear what initial access methods attackers are using to infiltrate target networks, but they are suspected to include proven approaches to weaponizing zero-day and N-day exploits for web applications.
Once attackers have gained a foothold, they have been known to conduct extensive reconnaissance, plan their networks, run open source tools like gogo to perform automated scans, and move laterally through the environment. The attack chain culminates with the introduction of NetDraft, CloudSorcerer (version 3.0), and VShell.
UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download and execute VShell payloads from remote servers. In addition to using custom malware, attackers set up backdoor access alternatives using proxies and VPN tools such as Stowaway and SoftEther VPN.
The findings highlight a trend of advanced cooperative tactics among multiple China-aligned groups. In October 2025, Trend Micro revealed a phenomenon called “Premier Pass-as-a-Service.” In this phenomenon, initial access gained by Earth Estries is passed to Earth Naga for subsequent exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023.
“Premier Pass-as-a-Service provides direct access to critical assets, reducing time spent on reconnaissance, initial exploitation, and lateral movement phases,” Trend Micro said. “The full extent of this model is not yet known, but given the limited number of observed incidents and the significant risk of compromise that such services involve, we believe that access is likely to be limited to small-scale attackers.”
Source link
