What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Actor-Profile

0 sources verified·11 min read

By Lyrie AI Cyber Research Division·5/8/2026

UAT-8302: Inside China's Shared APT Malware Ecosystem — A New Government-Targeting Group Surfaces with Borrowed Weapons

TL;DR

Cisco Talos published a full technical disclosure (May 5, 2026) on UAT-8302, a previously undocumented China-nexus APT that has been quietly targeting government entities in South America (since late 2024) and southeastern Europe (2025) using a toolkit of custom malware families shared with at least five other Chinese threat clusters. The group deploys NetDraft/NosyDoor, CloudSorcerer v3, SNOWLIGHT/VShell, DeedRAT (Snappybee), ZingDoor, and Draculoader — tools previously attributed to Jewelbug, Earth Estries, UNC5174, and others. Simultaneously, Salt Typhoon — the Chinese MSS-linked telecom espionage titan — is suspected in a late April 2026 breach of Sistemi Informativi, an IBM Italy subsidiary managing critical IT infrastructure for Italian public institutions. Together, these developments paint a picture of a highly compartmentalized yet deeply interconnected Chinese cyber espionage apparatus that is accelerating its pivot toward European and South American government targets.

Background: Two Stories, One Apparatus

Two developments broke this week that, on the surface, appear unrelated. Look closer, and they reveal the same machine operating at scale.

Story one: On May 5, 2026, Cisco Talos disclosed UAT-8302 — a new, high-confidence China-nexus APT that has been conducting long-term government espionage operations in South America and the Balkans. The group is sophisticated enough to deploy custom malware, yet pragmatic enough to borrow tools from at least five other known China-aligned threat clusters. This "shared arsenal" model is becoming a defining characteristic of 2026-era Chinese cyber operations.

Story two: On May 3, 2026, Italian newspaper La Repubblica broke the news that Sistemi Informativi — an IBM Italy wholly-owned subsidiary that manages IT infrastructure for Italian government agencies and critical national industries — was breached in late April 2026. Multiple intelligence sources pointed to Salt Typhoon (also tracked as Earth Estries, GhostEmperor, FamousSparrow, UNC2286) as the likely perpetrator. IBM confirmed the incident and activated incident response protocols. Services were restored, but forensic investigation into scope and impact remained ongoing as of publication.

These aren't coincidental. They're proof points of China's evolving strategic cyber posture in 2026: distributed espionage clusters, shared tooling infrastructure, and an accelerating focus on Europe as geopolitical tensions intensify.

Technical Analysis: UAT-8302 — The Anatomy of a Shared Toolkit Operation

Who They Are

Cisco Talos assesses with high confidence that UAT-8302 is a China-nexus APT group primarily tasked with obtaining and maintaining long-term access to government and related entities globally. The group was discovered during investigations into intrusions against South American government networks beginning in late 2024, then corroborated through overlapping infrastructure seen in southeastern European government compromises in 2025.

What makes UAT-8302 analytically significant isn't just what it does — it's how it does it, and what that reveals about the Chinese state-linked APT ecosystem.

The Malware Arsenal: Nothing is Exclusive

Unlike many APTs that jealously guard proprietary tooling as a fingerprint, UAT-8302 operates with what researchers call a "shared malware pool" — custom implants and loaders that circulate across multiple China-aligned threat clusters, effectively making attribution harder and operational reuse more efficient.

NetDraft (aka NosyDoor)

The centerpiece of UAT-8302's toolkit is NetDraft, a .NET-based backdoor that Talos discovered and tracks independently, while ESET has tracked its use under the name NosyDoor, attributed to a group called LongNosedGoblin. At its technical core, NetDraft is a C# variant of the FinalDraft/SquidDoor malware family — a modular, C2-capable backdoor family that Palo Alto Unit42, Elastic, and others have previously attributed to Jewelbug (aka REF7707, CL-STA-0049). Jewelbug's operations in 2025 targeted entities across Southeast Asia, Japan, and Russia. The same malware, renamed LuckyStrike Agent, was deployed against Russian IT organizations by Erudite Mogwai (Space Pirates/Webworm). One malware family — four tracking names — at least three distinct threat clusters using it. That's the ecosystem.

CloudSorcerer v3

UAT-8302 deployed an updated version (v3) of CloudSorcerer, a cloud-exfiltration-capable backdoor first publicly disclosed by Kaspersky after attacks against Russian government entities in May 2024. The malware abuses legitimate cloud services for command-and-control to evade network-level detection. UAT-8302 using a newer version of this tool suggests ongoing development either by the group itself or by a shared development infrastructure serving multiple clusters.

SNOWLIGHT / VShell / SNOWRUST

SNOWLIGHT is a known stager for VShell, a fully-featured post-exploitation framework. UAT-8302 uses both, mirroring its observed use in operations by UNC5174 (which exploited F5 and ScreenConnect vulnerabilities), UNC6586 (which abused CVE-2025-55182 in React2Shell), and UAT-6382 (which weaponized a Cityworks zero-day, CVE-2025-0994). In a notable evolution, UAT-8302 also developed a Rust-based variant of SNOWLIGHT called SNOWRUST — indicating engineering capability and intentional language migration, likely for improved evasion on modern EDR platforms that have improved detection of Go-based and C++-based stagers.

DeedRAT (Snappybee) and ZingDoor

DeedRAT, a ShadowPad successor, and ZingDoor (first disclosed by Trend Micro in 2023) were deployed together by UAT-8302 — a pairing that exactly mirrors Earth Estries (Salt Typhoon under Trend Micro's naming) operations in late 2024. This co-deployment signature is not accidental. It strongly suggests either tool-sharing agreements, common development infrastructure, or that UAT-8302 operates as a sub-cluster or supporting unit within the broader Earth Estries apparatus.

Draculoader

A shellcode loader also used by Earth Estries and Earth Naga, both of which have histories of targeting government agencies across Southeast Asia. Earth Naga has been specifically linked to ToolShell exploitation campaigns in 2025.

Intrusion Chain

Initial access vector for UAT-8302 remains unconfirmed, though Talos assesses it "likely involves weaponizing zero-day and N-day exploits in web applications" based on intrusion artifacts and the group's deployment pattern. This is consistent with the broader Chinese APT preference for edge-device exploitation (VPNs, load balancers, application delivery controllers) as a zero-footprint entry mechanism.

Post-access activity follows a disciplined playbook:

1. Extensive reconnaissance using legitimate network-scanning tools (notably gogo, an open-source automated scanner used across multiple China-nexus clusters)

2. Lateral movement via Impacket and credential extraction

3. Persistence establishment using proxy tunneling tools — specifically Stowaway and SoftEther VPN for long-term covert channel maintenance

4. Payload deployment — NetDraft, CloudSorcerer v3, or VShell depending on target environment

The goal: durable, long-term access enabling intelligence collection rather than immediate destructive action. Classic tier-1 MSS tasking.

The Salt Typhoon Italy Breach: Europe Becomes the Target

While UAT-8302 represents a newly disclosed actor, Salt Typhoon (Earth Estries) is a known quantity with an expanding geographic footprint. The suspected April 2026 breach of Sistemi Informativi represents a meaningful escalation.

Why Sistemi Informativi matters: This IBM Italy subsidiary is not a consumer company. It is a managed IT infrastructure provider for Italian public agencies and private critical industry operators. Compromising a single IT provider of this type — rather than targeting individual agencies — provides a force-multiplier effect: one breach, many downstream victims, extensive network mapping, and potential persistent access to government data flows across multiple institutions.

Salt Typhoon's documented operational history reveals why Europe has become priority terrain:

2023–2024: Breached U.S. telecoms (AT&T, Verizon, Lumen) — CALEA-lawful intercept systems compromised, allowing intelligence interception
Early 2025: Viasat satellite communications, Canadian telecom firms, U.S. Army National Guard networks
Mid-2025: Dutch government infrastructure and networks (warned by Dutch intelligence)
Late 2025: Confirmed expansion to European telecom providers via Citrix and Cisco vulnerability exploitation
April 2026: Suspected breach of Italian critical IT infrastructure (Sistemi Informativi / IBM Italy)
Ongoing: FBI confirmed in February 2026 that Salt Typhoon threats remain active, with basic configuration errors and known CVEs providing initial access

The Salt Typhoon MO at infrastructure providers: exploit Citrix NetScaler or Cisco IOS vulnerabilities for initial access → establish living-off-the-land persistence using PowerShell, WMIC, and Windows service creation → exfiltrate data silently over months → maintain access for potential disruption if geopolitical calculus demands it.

Salt Typhoon has maintained access inside compromised environments for up to three years before discovery (per Cisco, 2025). This is not smash-and-grab — it's patient, strategic pre-positioning.

The Ecosystem Model: Why Attribution Gets Harder Every Year

The UAT-8302 disclosure forces a fundamental rethink of how we do APT attribution. The traditional model — link malware to a group, link group to a state — worked when threat actors used exclusive tooling. That model is breaking down.

The Chinese state-linked APT ecosystem now operates more like a shared services platform:

A small number of "malware factories" develop and maintain high-quality implants (NetDraft/FinalDraft, DeedRAT/ShadowPad lineage, CloudSorcerer)
Multiple operational clusters receive access to these tools via what appears to be an internal tool-lending or contracted development relationship
Individual clusters maintain deniability through operational separation, while the PRC can conduct operations at scale without proportionally scaling its developer headcount
Cross-cluster tool reuse creates deliberate attribution confusion — making it harder for defenders to map activity to a single actor or issue targeted indictments

This is the "Ship of Theseus" problem in applied form: when a group replaces all its tools with borrowed ones from other groups, is it still the same group? For defenders, the answer is: it doesn't matter. The threat is real regardless of taxonomy.

IOCs and Technical Indicators

Malware Families (UAT-8302 campaign):

NetDraft / NosyDoor (.NET-based, C# FinalDraft variant)
CloudSorcerer v3 (cloud-abusing C2 backdoor)
SNOWLIGHT (VShell stager, cross-cluster)
SNOWRUST (Rust-based SNOWLIGHT variant — new to UAT-8302)
VShell (full post-exploitation framework)
DeedRAT / Snappybee (ShadowPad successor)
ZingDoor (.NET malware, Earth Estries lineage)
Draculoader (shellcode loader, Earth Estries / Earth Naga shared)

Open-Source Tools Used:

gogo (network scanner, github.com/chainreactors/gogo)
Impacket (credential extraction and lateral movement)
Stowaway (multi-level proxy)
SoftEther VPN (covert channel persistence)

Salt Typhoon Initial Access Vectors:

Citrix NetScaler vulnerabilities (CVE family)
Cisco IOS/IOS-XE vulnerabilities (CVE family)
Configuration weaknesses and unpatched N-day exploits in web-facing infrastructure

Targeting Profile:

South American government ministries
Southeastern European government agencies
European telecom backbone providers
IT managed service providers serving public sector (critical risk multiplier)
Critical infrastructure operators (energy, water, internet)

Lyrie Take

The UAT-8302 disclosure, read alongside Salt Typhoon's Italy suspected breach, confirms something Lyrie has been tracking in our threat intelligence feeds: 2026 is the year Chinese APT operations matured from individual campaigns to a coherent, distributed espionage platform.

The shared-malware model is not a sign of weakness — it's a sign of industrial scaling. The PRC doesn't need to build new tools for every new operation. It needs a logistics model that delivers vetted, functional implants to operational clusters on demand. That's what we're seeing. The result is an ecosystem where:

1. Attribution becomes ambiguous by design — defenders chase the malware name, not the actor

2. Detection signatures age faster because tools rotate across clusters at different cadences

3. A single development team's operational security failure can expose multiple independent campaigns simultaneously

For defenders, the implication is clear: tracking malware families is more durable than tracking group names. DeedRAT will appear whether you're dealing with UAT-8302, Earth Estries, or a cluster not yet named. SNOWLIGHT will show up in campaigns linked to UNC5174, UAT-6382, and now UAT-8302. Build detection for the tool, not the actor.

On the Salt Typhoon Italy front: the targeting of a managed IT service provider rather than individual agencies is the move that should concern European CISOs most. One supply-chain pivot gives access to dozens of downstream clients. Italy is likely not the only European country where this playbook is in motion.

Defender Playbook

Immediate Actions:

1. Patch Citrix and Cisco infrastructure now. Salt Typhoon's documented European entry vector is unambiguous: Citrix NetScaler and Cisco IOS vulnerabilities, exploited before or within days of public disclosure. Run authenticated vulnerability scans against all edge devices this week. No exceptions for "stable" systems.

2. Hunt for SNOWLIGHT/SNOWRUST stager activity. Network telemetry showing outbound connections to cloud platforms (legitimate services abused for C2 — GitHub, OneDrive, Dropbox) following unusual service creation or PowerShell execution chains should be triaged immediately. SNOWLIGHT is a known precursor to full VShell deployment.

3. Audit IT managed service providers. If you operate in a sector that relies on third-party IT infrastructure providers (government, defense, utilities), audit the trust relationships and network access granted to those providers. UAT-8302 and Salt Typhoon both demonstrate that MSPs are as valuable as direct targets — often more so.

4. Deploy behavioral detection over signature-based detection. With tools rotating across clusters (DeedRAT, ZingDoor, NetDraft all appearing in different threat actor contexts), static signature coverage will miss a significant percentage of intrusion attempts. Focus on behavior: living-off-the-land commands (WMIC queries, PowerShell execution with encoded parameters, Windows service creation for persistence), lateral movement patterns, and unexpected outbound proxy/VPN traffic.

5. Enable network telemetry on east-west traffic. Post-compromise, UAT-8302 operators conduct extensive internal reconnaissance using gogo for automated scanning. Lateral network scanning from internal hosts — especially workstations — is highly anomalous and should trigger immediate investigation.

6. Verify cloud service access. CloudSorcerer abuses legitimate cloud services for C2. Review cloud application firewall logs and CASB telemetry for unusual data transfers to OneDrive, Google Drive, or similar platforms from server-class systems that have no business reason to access those services.

7. Implement credential tiering and just-in-time access. Impacket-based credential extraction followed by lateral movement using harvested credentials is a core UAT-8302 tactic. Privileged account isolation, time-limited credentials, and privileged access workstations directly degrade this capability.

Strategic Recommendations:

Red team your supply chain trust model — map every third-party provider with privileged network access and ask: what happens if they're compromised?
Subscribe to cross-cluster threat intelligence — the shared malware ecosystem means single-vendor threat intel (which tracks groups, not tools) will miss cross-cluster reuse. Invest in malware-centric intelligence feeds
Assume dwell time of 12+ months — Salt Typhoon's documented dwell times of 2–3 years mean current indicators may reflect breaches initiated in 2024 or earlier; retroactive log analysis is warranted for all high-value targets

Sources

1. Cisco Talos — "UAT-8302 and its box full of malware" (May 5, 2026): https://blog.talosintelligence.com/uat-8302/

2. The Hacker News — "China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions" (May 6, 2026): https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html

3. Security Affairs — "Salt Typhoon breach IBM subsidiary in Italy: a warning for Europe's digital defenses" (May 5, 2026): https://securityaffairs.com/191638/apt/salt-typhoon-breach-ibm-subsidiary-in-italy-a-warning-for-europes-digital-defenses.html

4. Vectra AI — "Salt Typhoon: TTPs, detection, and defense" (2026): https://www.vectra.ai/resources/vectra-ai-threat-briefing-salt-typhoon

5. CyberScoop — "CISA warns of Salt Typhoon and Volt Typhoon threats to critical infrastructure" (May 6, 2026)

6. ESET Research — LongNosedGoblin / NosyDoor attribution: https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/

7. Trend Micro — Earth Estries persistent TTPs: https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html

8. FBI February 2026 confirmation of ongoing Salt Typhoon activity (via CyberScoop)

Lyrie.ai Cyber Research Division — Senior Analyst Desk