A sophisticated advanced persistent threat (APT) group linked to China has been identified as a key player in cyberattacks targeting government entities in South America, with activities traced back to late 2024, and in southeastern Europe in 2025. Cisco Talos has designated this group as UAT-8302, noting its use of custom malware designed for specific post-exploitation tasks that align with other known Chinese hacking factions.
Among the notable malware utilized by this group is a .NET-based backdoor known as NetDraft, also referred to as NosyDoor. This variant is a C# adaptation of FINALDRAFT, which has previously been associated with several other threat clusters including Ink Dragon and CL-STA-0049. Researchers are raising alarms about the potential for these advanced malware types to be deployed against various government systems, creating vulnerabilities in national security frameworks.
ESET has traced the use of NosyDoor back to a group they call LongNosedGoblin, revealing the malware’s versatility as it has also come under attack from other adversaries like Erudite Mogwai, particularly against Russian IT organizations. This reflects the wide-ranging impact and adaptability of the threats posed by Chinese-linked cyber actors.
The toolkit employed by UAT-8302 also includes a variety of other malicious utilities. For instance, CloudSorcerer has been noted in attacks against Russian governmental entities since May 2024, while SNOWLIGHT—a stager used alongside VShell—has been linked to various APT groups. Additionally, tools like Deed RAT, Draculoader, and the infamous Zingdoor have further showcased the multi-faceted approach this group employs in conducting its espionage and cyber warfare efforts.
According to researchers from Talos, the malware associated with UAT-8302 indicates a close operational relationship with previously identified threat clusters, showcasing a networked ecosystem of cybercriminals. Combined with the sophistication of the tactics employed, these findings underscore an increasing trend of collaboration among China-aligned adversaries.
Initial access methods for this group remain ambiguous but are suspected to involve traditional exploitation techniques leveraging zero-day vulnerabilities in web applications. Once inside a network, the attackers conduct comprehensive reconnaissance to create a detailed map of the system before deploying their specialized malware, like NetDraft and CloudSorcerer, to establish footholds for further exploitation.
The utilization of a Rust-based variant of SNOWLIGHT, termed SNOWRUST, has also been observed, which aids in downloading and executing VShell payloads from remote servers. Furthermore, UAT-8302 demonstrates a sophisticated ability to maintain access through alternative channels using proxy and VPN tools, thereby increasing the danger they pose to targeted organizations.
These developments highlight not only the tactical prowess of advanced Chinese threat actors but also a troubling trend recognized by Trend Micro termed “Premier Pass-as-a-Service.” This model facilitates collaboration among disparate groups, where initial access gained by one faction is leased to another for subsequent exploitation. Such arrangements would allow actors to streamline their operations, significantly reducing the time required for reconnaissance and lateral movement.
Business leaders are urged to emphasize that knowledge of these evolving threats is paramount. Understanding the tactics and techniques used—such as initial access, persistence, and privilege escalation as outlined in the MITRE ATT&CK framework—can help organizations bolster their defenses against increasingly sophisticated cyber-assaults. Vigilance, proactive measures, and awareness of potential threats can make a significant difference in mitigating the risks presented by advanced persistent threats.
The insights from cybersecurity firms illuminate the urgent need for organizations to assess their vulnerabilities and strengthen their cybersecurity postures. The collaboration between these advanced threats poses a significant and growing risk to critical assets, which demands immediate attention and action from business leaders across sectors.