A China-affiliated advanced persistent threat (APT) group, identified as UAT-8302, has been implicated in cyberattacks against government bodies in South America since late 2024 and southeastern Europe in 2025. These activities, monitored by Cisco Talos, involve the deployment of unique malware families also utilized by other cyber groups linked to China.
The malware arsenal includes a .NET-based backdoor known as NetDraft or NosyDoor, a variant of the previously identified FINALDRAFT. This tool has been associated with several threat groups like Ink Dragon and Jewelbug. ESET has attributed NosyDoor to a group they call LongNosedGoblin, while Russian firm Solar notes its use against Russian IT firms by a group dubbed Erudite Mogwai, also known as Space Pirates.
APT Malware Collaboration
Researchers from Talos, including Jungsoo An and Asheer Malhotra, have noted that UAT-8302 uses malware linked to various known threat clusters, suggesting a collaborative effort among China-aligned actors. Reports suggest these groups share tools, enhancing their capabilities to execute sophisticated cyber operations.
Though specific initial breach methods remain unclear, it is suspected that UAT-8302 exploits zero-day and N-day vulnerabilities in web applications. Post-breach, attackers conduct thorough reconnaissance using open-source tools like gogo for network mapping and lateral movement before deploying malware such as NetDraft and CloudSorcerer.
Technical Sophistication and Tools
The group has also deployed SNOWRUST, a Rust-based variant of SNOWLIGHT, to download and execute the VShell payload. In addition to custom malware, they employ tools like Stowaway and SoftEther VPN to maintain clandestine network access.
This method reflects an advanced cooperation model among Chinese cyber groups, as highlighted by Trend Micro. In a phenomenon termed ‘Premier Pass-as-a-Service,’ initial access gained by one group is handed over to another for further exploitation, complicating tracking and mitigation efforts.
Implications and Future Outlook
The collaborative tactics of UAT-8302 and associated groups emphasize a strategic approach to cyber espionage, potentially complicating global cybersecurity defenses. As these operations evolve, understanding their methodologies and strengthening international cyber defense collaborations become crucial.
Trend Micro’s investigation into ‘Premier Pass-as-a-Service’ indicates that such access sharing is limited to a select few groups, suggesting a tightly controlled operation aimed at maximizing impact while minimizing detection risks. The full scope of this model remains under study, highlighting the need for ongoing vigilance and adaptation in cybersecurity strategies.
