Cisco Talos Uncovers UAT-8302, a China-Linked APT Targeting Governments in South America and Europe

Executive Summary

Cisco Talos has published research on a China-nexus advanced persistent threat (APT) group tracked as UAT-8302. This group is engaged in long-term cyber-espionage campaigns with the primary goal of intelligence gathering. Their operations have targeted government organizations in South America since late 2024 and expanded to include government agencies in Southeastern Europe in 2025. The most significant characteristic of UAT-8302 is its extensive use of a shared arsenal of custom malware, including NetDraft (aka NosyDoor) and CloudSorcerer. The overlap in tooling with other known Chinese APTs, such as LongNosedGoblin and Earth Estries, points to a collaborative and possibly modular development ecosystem among these state-sponsored actors.

Threat Overview

UAT-8302 is a sophisticated threat actor focused on gaining and maintaining long-term, persistent access to sensitive government networks. While their initial access vectors are not confirmed, Talos suspects they use exploits for zero-day and n-day vulnerabilities in public-facing applications (T1190 - Exploit Public-Facing Application).

Once inside a network, the group engages in a classic APT lifecycle:

1. Initial Foothold: Deploying a first-stage backdoor.
2. Post-Compromise Activity: Using open-source tools like Impacket for lateral movement and credential harvesting.
3. Payload Deployment: Deploying a variety of custom malware for long-term access and data exfiltration.
4. C2 and Exfiltration: Abusing legitimate cloud services like Microsoft OneDrive and the MS Graph API for command-and-control (C2) to blend in with normal network traffic.

Technical Analysis

The key feature of UAT-8302 is its shared and diverse malware toolkit. This suggests that multiple Chinese APT groups may be supplied by a common development team or that they actively share tools and infrastructure.

Key Malware Families:

• NetDraft (NosyDoor): A .NET-based backdoor previously linked to the LongNosedGoblin APT group.
• CloudSorcerer v3: An updated version of a backdoor used in previous attacks against Russian government entities. This version likely has enhanced capabilities and evasive features.
• SNOWRUST: A Rust-based variant of the SNOWLIGHT backdoor, used for C2 and maintaining access.
• Shared Tools: The group also uses other malware seen in attacks by other China-nexus groups, including SNAPPYBEE (DeedRAT) and ZingDoor.

Evasion and C2 Techniques:

UAT-8302 employs several techniques to evade detection:

• Living Off the Land: Using tools like Impacket and legitimate proxy/VPN software like Stowaway and SoftEther VPN.
• Abuse of Cloud Services: Using Microsoft OneDrive and the MS Graph API for C2 (T1071.001 - Application Layer Protocol: Web Protocols). This makes their C2 traffic appear as legitimate Microsoft services, making it very difficult to detect and block with traditional network signatures.

MITRE ATT&CK Techniques Observed:

• T1190 - Exploit Public-Facing Application: Suspected initial access vector.
• T1071.001 - Application Layer Protocol: Web Protocols: Abusing OneDrive and MS Graph API for C2.
• T1003 - OS Credential Dumping: Implied by the use of Impacket.
• T1550.002 - Use Alternate Authentication Material: Pass the Hash: A common technique enabled by Impacket for lateral movement.
• T1021.002 - Remote Services: SMB/Windows Admin Shares: Used for lateral movement within the compromised network.
• T1105 - Ingress Tool Transfer: Transferring their malware toolkit onto compromised systems.

Impact Assessment

The activities of UAT-8302 pose a significant national security risk to the targeted countries in South America and Southeastern Europe. As a state-sponsored espionage group, their goal is the theft of sensitive government information, which could include diplomatic communications, military intelligence, economic data, and personally identifiable information of government employees. The long-term persistence they seek to achieve means they can continuously monitor and exfiltrate data over months or years. The shared nature of their toolkit complicates attribution and defense, as indicators of compromise (IOCs) from one group's campaign may not be a reliable predictor for another's, despite using the same malware.

Detection & Response

Defending against a sophisticated APT like UAT-8302 requires a defense-in-depth strategy.

• Network Traffic Analysis (D3-NTA): While difficult, it is crucial to monitor and baseline traffic to cloud services like OneDrive. Look for anomalous patterns, such as a non-user-interactive server communicating with OneDrive, or unusual data volumes being uploaded. SSL/TLS inspection is necessary to gain visibility into this traffic.
• Process Analysis (D3-PA): Monitor for the execution of suspicious .NET assemblies and Rust-based binaries. Use EDR to track process lineage and identify when legitimate tools like Impacket or SoftEther VPN are used in a way that is inconsistent with normal administrative activity.
• Domain Account Monitoring (D3-DAM): Closely monitor for signs of credential dumping and lateral movement. Alerts for tools like Mimikatz (often part of Impacket's toolkit) and suspicious use of service accounts to log into multiple workstations are key indicators.
• Patch Management: Aggressively patch public-facing applications and servers to reduce the initial attack surface.

Mitigation

• Network Segmentation: Implement network segmentation to limit the attacker's ability to move laterally after an initial compromise. Create enclaves for critical data and restrict communication between network segments.
• Outbound Traffic Filtering (D3-OTF): Where possible, restrict outbound access to cloud storage services from servers that do not require it. Use a web proxy to control and log all access to services like OneDrive.
• Privileged Account Management: Implement strict controls on privileged accounts. Use just-in-time access and multi-factor authentication for all administrative actions to make credential theft and lateral movement more difficult.
• Application Hardening (D3-AH): Harden public-facing web applications to prevent common vulnerability classes that could be used for initial access.