A China-linked advanced persistent threat (APT) group has been targeting government entities across multiple regions since late 2024. The group, tracked as UAT-8302, has conducted operations against government organizations in South America and expanded its focus to southeastern Europe throughout 2025.
According to findings from Cisco Talos, the attackers leverage a suite of custom-built malware tools, many of which have also been observed in campaigns linked to other China-aligned threat actors. One of the tools is NetDraft, a .NET-based backdoor also known as NosyDoor, which has previously been linked to several cyber-espionage clusters. The same malware has previously been observed in investigations by other cybersecurity firms, suggesting shared use across multiple groups with suspected Chinese affiliations.
Researchers note that UAT-8302’s toolkit includes a mix of older and newer malware families, such as CloudSorcerer, SNOWLIGHT, Deed RAT, Zingdoor, and Draculoader. This overlap suggests operational ties or shared resources among advanced threat groups. Interestingly, the CloudSorcerer backdoor was used in attacks against Russian government entities in 2024.
Researchers have yet to determine the initial access vector; they believe the group likely exploits vulnerabilities in web-facing applications, including both zero-day and known flaws. Once inside a network, the attackers perform extensive reconnaissance, using automated scanning tools to map systems and identify targets for lateral movement. The final step of the attack chain typically deploys persistent backdoors for long-term access and control.
In addition to custom malware, UAT-8302 has been observed using legitimate tools such as VPNs and proxy software to maintain access to compromised systems.