UAT-8302’s Global Espionage Machine Is Hijacking Governments via the Cloud

The Chinese cyber-espionage collective UAT-8302 has, for nearly a annum, conducted surreptitious incursions against governmental entities across South America and Europe, utilizing a sophisticated arsenal linked to several prominent Chinese threat actors. Analysts at Cisco Talos posit that these adversaries are singularly focused on long-term infiltration and the sustained preservation of access within the critical infrastructure of their victims.

Initial hostilities against South American organizations were documented in late 2024, yet by 2025, the group’s focus shifted toward administrative departments in Southeastern Europe. Upon a successful breach, UAT-8302 systematically harvests sensitive data, purloins credentials, and facilitates lateral movement throughout the internal network by employing a mixture of open-source utilities and proprietary malware.

A pivotal discovery in this campaign is the NetDraft backdoor. Authored in C#, the program is intrinsically linked to the FinalDraft or SquidDoor families, previously attributed to the Chinese collective Jewelbug (also recognized as REF7707, CL-STA-0049, or LongNosedGoblin). Cisco Talos highlighted that NetDraft has historically surfaced in assaults targeting governmental bodies in Southeast Asia and Japan, as well as Russian information technology firms.

NetDraft leverages the Microsoft Graph API and OneDrive cloud storage to facilitate communication with its command-and-control infrastructure. Once an infection is established, the malware can execute arbitrary commands, exfiltrate files, and manage system content. To ensure persistence, the adversaries orchestrate the creation of obscured tasks within the Windows Task Scheduler.

Furthermore, the group has deployed CloudSorcerer v3, a utility previously associated by Kaspersky Lab with incursions against Russian state structures. This malware masquerades as legitimate system processes and receives its mandates via GitHub, OneDrive, Dropbox, and even profiles on gaming platforms. The program is capable of comprehensive system reconnaissance, command execution, and process injection within the Windows environment.

The campaign also featured the VSHELL malware, complemented by SNOWLIGHT loaders and a novel iteration of SNOWRUST authored in the Rust programming language. Investigators discovered that SNOWRUST decrypts components of SNOWLIGHT, which subsequently deploy the final payload—a methodology previously observed in operations by Chinese groups UNC5174 and UNC6586.

During the reconnaissance phase, UAT-8302 aggressively utilizes PowerShell, Impacket, and various infrastructure scanning utilities. The actors aggregate intelligence regarding Active Directory users, network shares, Windows event logs, and security configurations. To identify further targets within the perimeter, the group conducts expansive address scanning and probes for accessible SMB resources.

To escalate their access, the assailants utilize remote command execution tools via WMI and the Windows Task Scheduler. Additionally, specialists noted attempts to harvest credentials from MobaXterm, alongside the deployment of Chinese utilities designed for configuring proxy servers and VPN tunnels within the compromised environment.

Cisco Talos observes that UAT-8302’s toolkit exhibits significant overlap with multiple established Chinese cyber-groups, including Earth Estries, Earth Naga, and LongNosedGoblin. Analysts conclude that these campaign participants either engage in intimate collaboration or share access to a centralized repository of malware and infrastructure.