Key Takeaways
- A China‑nexus APT tracked as UAT‑8302 has targeted South American government entities since late 2024 and southeastern European agencies in 2025.
- The group deploys a .NET‑based backdoor called NetDraft (aka NosyDoor), a C# variant of FINALDRAFT, alongside CloudSorcerer v3.0, VShell, and a Rust‑derived SNOWRUST loader.
- UAT‑8302 leverages proxy and VPN tools such as Stowaway and SoftEther VPN to maintain persistent, stealthy access.
- Initial intrusion is suspected to rely on weaponized zero‑day or N‑day exploits in web applications, followed by extensive reconnaissance using open‑source scanners like gogo.
- The malware and tactics link UAT‑8302 to other China‑aligned clusters (Ink Dragon, CL‑STA‑0049, Earth Alux, Jewelbug, REF7707) and are also used by groups labeled LongNosedGoblin and Erudite Mogwai (aka Space Pirates/Webworm).
- Trend Micro’s “Premier Pass‑as‑a‑Service” model illustrates how initial access obtained by one China‑linked group can be sold or transferred to another, reducing the time needed for reconnaissance and lateral movement.
- Overall, the findings highlight a growing trend of collaboration and tool‑sharing among sophisticated China‑nexus APT actors, complicating attribution and defense efforts.
Overview of UAT‑8302 Activity and Attribution
Cisco Talos has been monitoring a sophisticated advanced persistent threat (APT) group, designated UAT‑8302, that has been attributed to cyber‑espionage campaigns against government entities in South America beginning in late 2024 and against agencies in southeastern Europe throughout 2025. The activity pattern shows a clear focus on high‑value public‑sector targets, suggesting strategic intelligence‑gathering objectives aligned with Chinese interests. Talos analysts Jungsoo An, Asheer Malhotra, and Brandon White linked the group to a suite of custom malware families that have previously appeared in other China‑nexus threat clusters, indicating a shared tool‑ecosystem rather than isolated development. The attribution is based on overlapping code signatures, command‑and‑control (C2) infrastructure similarities, and the use of known adversary tactics, techniques, and procedures (TTPs) reported by multiple third‑party researchers.
NetDraft (NosyDoor) Malware Family and Connections
Among the tools employed by UAT‑8302, the .NET‑based backdoor NetDraft—also referred to as NosyDoor—stands out as a C# variant of the earlier FINALDRAFT (aka Squidoor) malware. NetDraft has been observed in campaigns associated with several threat clusters, including Ink Dragon, CL‑STA‑0049, Earth Alux, Jewelbug, and REF7707. ESET attributes the use of NosyDoor to a group it tracks as LongNosedGoblin, while Russian cybersecurity firm Solar notes that the same binary, branded LuckyStrike Agent, has been deployed against Russian IT organizations by an actor called Erudite Mogwai (also known as Space Pirates and Webworm). This cross‑group reuse underscores a modular malware approach where core backdoor functionality is shared or leased among multiple China‑aligned operators, enhancing operational efficiency and obscuring attribution.
Supplementary Toolset: CloudSorcerer, VShell, and SNOWRUST
Beyond NetDraft, UAT‑8302 utilizes a handful of additional custom payloads. CloudSorcerer version 3.0 serves as a versatile post‑exploitation framework capable of executing arbitrary commands, harvesting credentials, and establishing covert channels. VShell, a lightweight shellcode‑based implant, provides stealthy remote execution and is often delivered via a Rust‑derived loader dubbed SNOWRUST. SNOWRUST fetches the VShell payload from a remote server, executes it in memory, and helps evade disk‑based detection mechanisms. The combination of these tools enables the attackers to maintain flexibility: CloudSorcerer handles broader administrative tasks, while VShell offers a low‑profile foothold for persistent access.
Use of Proxy and VPN Tools for Backdoor Access
To prolong their presence within compromised networks, UAT‑8302 augments its malware arsenal with legitimate‑looking proxy and VPN utilities. The group has been observed deploying Stowaway, a reverse‑proxy tool that tunnels traffic through compromised hosts, and SoftEther VPN, a widely used open‑source VPN solution. By routing C2 communications through these channels, the attackers blend malicious traffic with normal network activity, thereby reducing the likelihood of detection by intrusion‑detection systems (IDS) or firewalls. This tactic also facilitates lateral movement, as compromised systems can act as pivot points for accessing segmented subnets without exposing the attackers’ true origin.
Suspected Initial Access via Zero‑Day and N‑Day Exploits
While the exact intrusion vector remains undisclosed, Talos researchers hypothesize that UAT‑8302 gains initial footholds through the exploitation of zero‑day or N‑day vulnerabilities in publicly exposed web applications. Such exploits allow the adversary to bypass authentication controls and execute arbitrary code on web servers, providing a beachhead inside the target perimeter. Once inside, the attackers likely employ privilege‑escalation techniques to acquire administrative rights before proceeding to deeper network exploration. The reliance on sophisticated exploit chains aligns with the group’s observed capability to deploy custom malware and suggests a well‑resourced backend capable of acquiring or developing high‑value exploits.
Network Reconnaissance, Scanning, and Lateral Movement
After establishing a foothold, UAT‑8302 conducts extensive internal reconnaissance to map the target environment. The group leverages open‑source utilities such as gogo to perform automated port scanning, service enumeration, and vulnerability discovery across internal hosts. This systematic scanning enables the attackers to identify valuable assets—such as domain controllers, file servers, and databases—and to plan subsequent lateral movement. Credential harvesting tools and pass‑the‑hash techniques are then employed to move laterally, often using legitimate administrative protocols (e.g., SMB, RDP) to avoid raising alarms. The culmination of this phase is the deployment of the previously mentioned payloads (NetDraft, CloudSorcerer, VShell) onto strategically chosen systems to establish persistent backdoors.
Evidence of Collaboration Between China‑Aligned Threat Actors
The technical report from Talos emphasizes that the malware and tools used by UAT‑8302 are not unique to this group but appear in the arsenals of several other China‑nexus APT clusters. This overlap indicates at least a close operating relationship, if not outright sharing, among these adversaries. The group’s ability to access tools originally associated with Ink Dragon, CL‑STA‑0049, Earth Alux, Jewelbug, and REF7707 suggests a collaborative ecosystem where code, infrastructure, or even expertise is exchanged. Such cooperation reduces development overhead, accelerates capability deployment, and complicates attribution for defenders who might otherwise attribute activity to a single actor.
Trend Micro’s “Premier Pass‑as‑a‑Service” Insight
Adding another layer to the collaborative picture, Trend Micro highlighted in October 2025 a phenomenon dubbed “Premier Pass‑as‑a‑Service.” In this model, an initial‑access specialist group (e.g., Earth Estries) compromises a target and then sells or transfers that foothold to a follow‑on exploitation group (e.g., Earth Naga). The service shortens the attack lifecycle by eliminating the need for the purchasing group to conduct its own reconnaissance, exploitation, and lateral‑movement phases. Although the full scale of this offering remains unclear, the limited number of observed incidents coupled with the significant risk involved implies that access is likely reserved for a tightly knit circle of threat actors. This trend dovetails with the evidence of tool sharing seen in UAT‑8302’s operations, reinforcing the notion of a service‑oriented economy within the China‑linked APT landscape.
Conclusion and Future Outlook
UAT‑8302 exemplifies the evolving tactics of China‑nexus APT actors: a blend of custom malware, legitimate‑looking proxy/VPN tools, suspected zero‑day/N‑day entry points, and a post‑compromise workflow that emphasizes thorough reconnaissance and stealthy persistence. The group’s malware—particularly NetDraft (NosyDoor)—serves as a linchpin linking it to multiple known threat clusters, while the adoption of CloudSorcerer, VShell, and SNOWRUST illustrates a diversified toolkit designed for flexibility and evasion. Furthermore, the observed use of Stowaway and SoftEther VPN, alongside the broader pattern of tool sharing and the emergence of access‑selling models like “Premier Pass‑as‑a‑Service,” points to an increasingly collaborative and service‑driven underground ecosystem. Defenders should prioritize anomaly detection for VPN and proxy abuse, monitor for uncommon open‑source scanners like gogo, and invest in threat‑intelligence feeds that track malware family overlaps across APT groups. As these actors continue to refine their cooperation mechanisms, anticipating and disrupting the supply chain of exploits and malware will be critical to mitigating future campaigns.