China-Nexus UAT-8302 Hits Govt Targets With Shared APT Toolkit

Cisco Talos has attributed a campaign against South American and southeastern European government entities to UAT-8302, a China-nexus APT operating since at least late 2024. The group’s tooling overlaps heavily with malware previously tied to clusters like Earth Alux, Jewelbug, Earth Estries, and UNC5174, suggesting tight coordination or shared supplier infrastructure across China-aligned operators. Centerpiece payloads include NetDraft (a .NET variant of FINALDRAFT/Squidoor also tracked as NosyDoor), CloudSorcerer 3.0, Deed RAT, Zingdoor, and a Rust-based SNOWLIGHT loader called SNOWRUST that pulls down VShell.

Initial access vectors are unconfirmed but consistent with web-app zero-day and N-day exploitation. Post-compromise tradecraft is methodical: network mapping with the open-source gogo scanner, lateral movement, and persistence layered with Stowaway and SoftEther VPN as backup channels alongside the custom backdoors. The same NosyDoor family has separately surfaced in Russian IT-sector intrusions attributed to Erudite Mogwai, reinforcing the picture of a shared Chinese-speaking malware pool circulating between distinct operators.

The report dovetails with Trend Micro’s October 2025 disclosure of “Premier Pass-as-a-Service,” in which Earth Estries hands off initial access to Earth Naga for follow-on exploitation. Together these patterns complicate attribution and shorten attacker dwell-to-impact time, since downstream operators inherit footholds rather than building them, blurring the boundaries between named clusters that defenders have historically tracked as distinct.