Cisco Talos researchers have published detailed intelligence on UAT-8302, a China-nexus advanced persistent threat (APT) group that has been conducting long-running espionage campaigns against government agencies, with a particular focus on southeastern Europe. The group combines custom-built malware with widely available open-source tools to steal sensitive data while maintaining an extremely low profile inside compromised networks.
Who Is UAT-8302?
UAT-8302 has been active since at least late 2024, escalating operations against government bodies in southeastern Europe throughout 2025. Cisco Talos assessed with high confidence that the group is a China-nexus APT tasked primarily with gaining and maintaining long-term access to government and related entities worldwide.
Talos analysts identified significant tooling overlap between UAT-8302 and several previously disclosed China-nexus clusters, including a threat cluster they track as LongNosedGoblin. This overlap points to a close operational relationship between these groups, consistent with the modular, shared-infrastructure approach commonly observed across Chinese state-sponsored cyber operations.
What makes UAT-8302 particularly dangerous is its deliberate blending of legitimate cloud services, open-source tools, and custom malware — making it significantly harder for defenders to separate genuine network activity from a hostile intrusion.
UAT-8302’s Custom Malware Arsenal
The group deploys a well-stocked toolkit of custom and semi-custom malware families, all designed for long-term, stealthy persistence:
- NetDraft — A .NET-based backdoor linked to the FinDraft and SquidDoor family, delivered through DLL side-loading. A benign executable loads a malicious DLL-based loader, which decodes and executes NetDraft within an existing process. It communicates with its OneDrive-based C2 server via the Microsoft Graph API, blending into normal cloud traffic. Talos tracks the embedded helper library as “FringePorch.”
- CloudSorcerer v3 — An updated backdoor with shape-shifting behavior. When injected into
dnapimg.exe, it collects system details and pivots intoexplorer.exe. When running insidespoolsv.exe, it contacts a GitHub repository to retrieve C2 information. This behavioral polymorphism complicates detection by conventional security tools. - VSHELL — An implant used for persistent access in documented intrusions.
- SNAPPYBEE — Deployed in at least one documented intrusion, adding additional persistence capability.
- SNOWRUST — A Rust-based variant of the SNOWLIGHT stager, observed in intrusions attributed to other China-nexus clusters and used by UAT-8302 to establish initial footholds.
Open-Source Tools and Lateral Movement
UAT-8302 makes extensive use of freely available open-source tools during the post-compromise phase, a common technique to reduce forensic attribution and blend in with legitimate administrator activity:
- Network scanning: gogo, naabu, httpx, and PortQry are used to map services across internal networks and discover new systems to pivot toward
- Credential harvesting: adconnectdump.py and SharpGetUserLoginRDP harvest credentials from MobaXterm sessions and Active Directory
- Tunneling and persistence: Stowaway, a proxy tunneling tool written in Simplified Chinese, routes outside C2 traffic into infected hosts; SoftEther VPN clients were also observed for persistent remote access
- Standard frameworks: Impacket, custom PowerShell scripts, and open-source scanning engines for Active Directory enumeration and lateral movement
The attackers display a high level of patience, conducting deep and methodical reconnaissance on every endpoint they can reach before pushing further into the target environment — a hallmark of state-sponsored operations targeting high-value government infrastructure.
Attack Methodology
Once inside a network, UAT-8302 follows a thorough and structured playbook. The group collects credentials, gathers Active Directory information, and fully maps the environment before deploying additional malware or exfiltrating data. By using Microsoft OneDrive and GitHub as C2 channels, the group ensures that its malicious traffic is indistinguishable from legitimate enterprise cloud usage — a technique increasingly favored by sophisticated state-sponsored actors.
Defensive Recommendations
Government agencies and organizations that could be targeted should implement the following defenses:
- Keep endpoint detection tools updated with threat signatures for UAT-8302’s known malware families (NetDraft, CloudSorcerer, VSHELL)
- Monitor and alert on outbound traffic to cloud platforms — especially unusual Graph API calls to OneDrive and unexpected GitHub repository access from servers
- Audit and restrict DLL side-loading opportunities across all managed endpoints; monitor for unsigned DLLs loaded by known-good processes
- Regularly audit scheduled tasks and services for persistence mechanisms
- Deploy network segmentation to limit lateral movement capabilities once initial access is established
- Hunt for the open-source tools (gogo, naabu, Stowaway) used by the group — their presence outside authorized administrator workflows is a strong indicator of compromise
Cisco Talos has published detailed indicators of compromise (IoCs), including defanged IP addresses and domains, in its full threat intelligence report. Organizations should import these IoCs into their SIEM and threat intelligence platforms for immediate detection coverage.