TL;DR
Cisco Talos disclosed a sophisticated China-nexus APT group — UAT-8302 — on May 5, 2026, following a multi-year intrusion campaign against government agencies in South America (since late 2024) and southeastern Europe (2025). What makes UAT-8302 operationally distinct is not just its targets or tradecraft, but the evidence it represents of an increasingly formalized shared tooling ecosystem within China's state-sponsored hacking apparatus. The group deploys at least six distinct malware families — including backdoors previously attributed to three other named Chinese APT clusters — suggesting either a shared tool development program, a centralized malware-as-a-service pool, or a tightly coordinated contractor network operating beneath the umbrella of Chinese state intelligence. This isn't one group. It's a symptom of a maturing offensive infrastructure.
Background
For years, attribution of Chinese state-sponsored cyber operations relied on malware uniqueness — specific custom backdoors left identifiable fingerprints tied to individual groups. That era is ending. UAT-8302 is the clearest recent example of why: a single threat cluster that carries tools previously linked to Jewelbug, Earth Estries, UNC5174, LongNosedGoblin, and UAT-6382 simultaneously. The immediate interpretation might be "shared code reuse" — but the depth and diversity of these overlaps points to something more structural.
Cisco Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White began tracking UAT-8302 following intrusions against government entities in South America. Initial access vectors align with the group's known peers — exploitation of public-facing vulnerabilities (zero-day and n-day), consistent with APT-class operations that prioritize persistence over speed. The post-compromise behavior shows patience, methodical host enumeration, and a clear doctrine of prolonged access rather than smash-and-grab exfiltration.
The geographic targeting is also notable: government ministries in South America and southeastern European government agencies are not typical high-value targets for most financially motivated actors. This is straight strategic espionage — data collection against states that may carry intelligence value for Beijing's foreign policy and diplomatic positioning.
Technical Analysis
The Malware Arsenal
UAT-8302 deploys a broad toolkit across intrusions, with no single "signature" implant. Instead, the group appears to pull from a shared inventory:
NetDraft (NosyDoor): A .NET-based backdoor that Talos assesses is a C# port of the FinalDraft/SquidDoor malware family. ESET independently tracks this as NosyDoor, attributed to a group they call LongNosedGoblin, which targets government organizations across Southeast Asia and Japan. Russian cybersecurity firm Solar has additionally linked the same tool — under the name LuckyStrike Agent — to the Erudite Mogwai (Space Pirates) group targeting Russian IT organizations in 2024. This single malware family has now been observed across four attribution clusters from at least three independent research teams. The technical overlap is not coincidental — the code is the same.
CloudSorcerer v3: Originally disclosed by Kaspersky in 2024 following attacks against Russian government entities, CloudSorcerer abuses legitimate cloud platforms for command-and-control. Version 3, as deployed by UAT-8302, accesses a controlled GitHub repository or a GameSpot profile to read an encoded blob containing C2 server information. This living-off-the-cloud technique renders network-layer detection nearly useless — outbound HTTPS connections to GitHub and GameSpot generate no alerts in any default detection ruleset. The version increment suggests active development of this capability beyond the original operator's use case.
VSHELL + SNOWLIGHT Stager: VSHELL is a cross-platform post-exploitation implant (Linux/Windows/macOS capable), and SNOWLIGHT is its delivery stager. UAT-8302 also introduced a new Rust-based variant — tracked by Talos as SNOWRUST — suggesting ongoing investment in cross-platform, detection-resistant staging. SNOWLIGHT and VSHELL have previously appeared in campaigns attributed to UNC5174, UNC6586, and UAT-6382.
DeedRAT (Snappybee) + ZingDoor: DeedRAT is a successor to the ShadowPad modular framework — one of China's most persistent and broadly shared RAT platforms. Earth Estries deployed both DeedRAT and ZingDoor in conjunction in 2024 campaigns against telecom and government targets. UAT-8302 reproduces the same combination, which Trend Micro first highlighted as a paired deployment pattern. Pairing ShadowPad-lineage tooling with a secondary implant like ZingDoor provides redundant access — if one gets burned, the other persists.
Draculoader: A generic shellcode loader also appearing in Earth Estries and Earth Naga campaign toolkits. Draculoader is used as the delivery mechanism for several of the above implants and is believed to be distributed through shared infrastructure among China-aligned APT operators.
Intrusion Methodology
The operational pattern reveals a high-discipline approach consistent with intelligence-collection mandates rather than financially motivated threat actors:
Initial access leverages known (and likely unknown) vulnerabilities in public-facing systems. UAT-8302's tool overlaps with UAT-6382 — which exploited the Cityworks zero-day CVE-2025-0994 — suggest a similar vulnerability exploitation capability.
Reconnaissance is extensive and scripted. Talos identified a custom PowerShell script (whatpc.ps1) that executes a structured inventory sweep on every compromised host, capturing:
- User and group membership (
whoami,net user,net group) - Privilege context (
whoami /priv) - Network configuration (
ipconfig /all,ARP -a,ROUTE print) - Active connections (
NETSTAT -ano) - Active Directory topology (
nltest /dclist,nltest /domain_trusts,net group "Domain Admins")
This script is persisted via scheduled tasks named ReconLiteDebug and RunWhatPC, both executing under SYSTEM context. The scheduled task naming convention — technical but non-suspicious — is consistent with a threat actor that expects to stay inside the environment for extended periods.
Lateral movement uses Impacket and proxy tools, alongside the suite of custom implants to establish footholds across multiple hosts before any exfiltration begins. The goal is breadth of access and resilience, not speed.
Exfiltration follows credential extraction from certificate stores (certutil -user -store My/CA/Root) and network reconnaissance. The combination of certificate harvesting with domain enumeration suggests targeting of PKI infrastructure and encrypted communications — not merely files on disk.
The Shared Toolkit Hypothesis
The most analytically significant aspect of UAT-8302 is what the malware connections imply about Chinese APT organization. Three competing models explain the overlaps:
1. Shared Contractor Model: A non-governmental contractor or People's Liberation Army (PLA) or Ministry of State Security (MSS)-affiliated development shop supplies tooling to multiple independent APT teams under contract. Each team licenses or receives access to the same capability library and deploys them independently.
2. Centralized Tool Depot: A central cyber operations command maintains a shared tool depot accessible by multiple operational units. Individual APT clusters draw from this depot based on mission requirements, leaving cross-team fingerprints that look like attribution overlaps.
3. Team Fracturing / Personnel Mobility: Operators move between groups, carrying tools and tradecraft with them. A former Earth Estries operator who transitions to a new operational unit would bring their DeedRAT deployment knowledge with them.
All three models have evidence in publicly available research. The Talos team assessed that UAT-8302 has "a close operating relationship" with the overlapping clusters "at the very least" — careful language that acknowledges the ambiguity without overclaiming attribution to a specific ministry or military unit.
For defenders, the model distinction matters less than the operational implication: China's offensive cyber ecosystem is becoming increasingly modular and interoperable. Blocking one group's tools does not prevent another from deploying the same capability under a different operation name.
IOCs
| Indicator | Type | Description |
|---|---|---|
| whatpc.ps1 | Filename | Custom PowerShell recon script |
| ReconLiteDebug | Scheduled Task Name | Persistence for whatpc.ps1 |
| RunWhatPC | Scheduled Task Name | Alternate persistence task |
| c:\windows\temp\whatpc.ps1 | File Path | Known drop location |
| c:\windows\temp\run.bat | File Path | Batch launcher for recon |
| CloudSorcerer v3 GitHub C2 repo | IOC class | Legitimate platform abuse for C2 resolution |
| CloudSorcerer v3 GameSpot profile | IOC class | Alternate C2 resolver channel |
| SNOWLIGHT / SNOWRUST stagers | Malware family | VSHELL delivery mechanism |
| NetDraft / NosyDoor | Malware family | .NET FinalDraft variant |
| DeedRAT + ZingDoor (paired) | Malware family combo | ShadowPad successor + secondary implant |
| Draculoader | Malware family | Shellcode loader, multi-group shared |
Note: Talos has published full YARA rules and Snort signatures via their GitHub repository. Defenders should pull and operationalize these immediately.
Lyrie Take
UAT-8302 is less a "new threat actor" story and more a structural intelligence story about how China organizes offensive cyber operations. The conventional APT model — one group, one toolkit, one attribution — is breaking down as China's cyber apparatus matures into a more federated, modular program. This has direct consequences:
Attribution degradation is intentional. When six malware families link to four different threat clusters, the investigation loop becomes expensive. Talos spent significant research cycles untangling the web. That's not an accident — shared tooling creates deliberate attribution fog.
MITRE ATT&CK coverage is necessary but insufficient. UAT-8302's techniques (T1053 scheduled tasks, T1003 credential dumping via certutil, T1059 PowerShell execution, T1071 application-layer C2 via legitimate services) are all well-documented. The problem is that a defender who blocks these individually hasn't disrupted the mission — a replacement tool arrives from the shared depot.
Living-off-the-cloud is now standard operating procedure. CloudSorcerer's use of GitHub and GameSpot for C2 resolution is not novel — but its appearance in a third-generation deployment of an already-disclosed tool tells us defenders haven't solved this problem. Organizations need DNS-layer and behavioral anomaly detection that flags unusual data patterns to legitimate cloud platforms, not just outright blocks.
Government entities in non-traditional targets are being systematically penetrated. South America and southeastern Europe are not typical marquee targets. This breadth tells us China is mapping global political and intelligence landscapes well beyond its immediate geographic theater.
Defender Playbook
1. Deploy Talos YARA rules and Snort signatures for NetDraft, CloudSorcerer v3, SNOWLIGHT, SNOWRUST, DeedRAT, and Draculoader. These are publicly available — there is no excuse for not having them in your detection stack within 48 hours of a disclosure like this.
2. Hunt for scheduled tasks with reconnaissance naming conventions. Query EDR for tasks running under SYSTEM context with non-standard names (especially tasks dropping to c:\windows\temp\). Flag any task executing PowerShell with -ExecutionPolicy Bypass -WindowStyle Hidden.
3. Audit certutil usage. The pattern certutil -user -store My/CA/Root should trigger immediate investigation. Legitimate administrative use of this command at scale is rare; APT use for certificate harvesting is documented across multiple China-nexus clusters.
4. Implement DNS/proxy logging for outbound HTTPS to code hosting platforms. GitHub, GameSpot, Pastebin, and similar platforms are legitimate-but-abused C2 channels. Your SOC needs visibility into what data is being sent not just where. Baseline normal developer traffic patterns and alert on anomalies — especially from non-developer endpoints.
5. Assume lateral movement if any single host is confirmed compromised. UAT-8302's ping sweep and domain trust enumeration pattern means a single foothold is the starting point for complete domain compromise. Contain immediately and assume the blast radius is larger than initial indicators suggest.
6. Harden public-facing infrastructure. UAT-8302 (and its tool-sharing peers) exploit n-day and likely zero-day vulnerabilities for initial access. Patch cycles on VPNs, web servers, and remote access platforms need to operate in days, not months. Prioritize using CISA KEV as a mandatory patch SLA floor.
7. Model the shared toolkit threat. If your threat intelligence team is tracking Earth Estries, Jewelbug, or UAT-6382, your TTPs and detection logic now also partially apply to UAT-8302. Cross-pollinate your IOC and behavioral rule sets across Chinese APT attribution clusters — they're drawing from the same arsenal.
Sources
- Cisco Talos: UAT-8302 and its box full of malware (May 5, 2026) — https://blog.talosintelligence.com/uat-8302/
- The Hacker News: China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions (May 6, 2026) — https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html
- CyberSecurityNews: UAT-8302 Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies (May 7, 2026) — https://cybersecuritynews.com/uat-8302-uses-custom-malware-and-open-source-tools/
- Kaspersky Securelist: CloudSorcerer/EastWind APT Campaign (2024) — https://securelist.com/eastwind-apt-campaign/113345/
- Trend Micro: Breaking Down Earth Estries' Persistent TTPs (2024)
- ESET WeLiveSecurity: LongNosedGoblin research (2025)
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.