A China-nexus advanced persistent threat group tracked as UAT-8302 has been quietly siphoning data from government agencies across South America and southeastern Europe since at least late 2024, according to Cisco Talos researchers. The group blends custom malware with legitimate cloud services and open-source tooling to maintain long-term access while evading detection.

What Happened

Cisco Talos identified UAT-8302 as a China-linked APT focused on gaining and maintaining persistent access to government entities worldwide. The group has been operational since late 2024, with a notable surge in activity against southeastern European government bodies through 2025. Talos analysts assessed with high confidence that UAT-8302 shares tooling and tradecraft with previously disclosed China-nexus clusters, including a group Talos tracks as LongNosedGoblin, indicating a close operational relationship between the two.

The campaign demonstrates the patience and methodical reconnaissance characteristic of state-sponsored operations. Operators conducted deep enumeration on every reachable endpoint before progressing further into target environments, hallmarks of an actor prioritizing stealth and intelligence value over speed.

What Was Taken

While Cisco Talos has not publicly enumerated specific volumes of exfiltrated data, the campaign's stated objective is sustained collection of sensitive information from government bodies. Post-compromise activity consistently focused on:

• Credential harvesting from compromised endpoints
• Active Directory enumeration and trust mapping
• Wholesale environment discovery prior to lateral movement
• Long-dwell access positioning for ongoing exfiltration

Targets span government agencies in South America and southeastern Europe, suggesting strategic intelligence collection aligned with state interests rather than opportunistic theft.

Why It Matters

UAT-8302 illustrates the maturing playbook of Chinese cyber-espionage operators: combine custom implants with commodity open-source tooling and legitimate cloud services so hostile activity is statistically indistinguishable from normal administrator behavior. For defenders, this means signature-based detection alone is insufficient. The shared tooling overlap with LongNosedGoblin also signals a broader ecosystem of cooperating clusters, increasing the operational tempo and reach of China-nexus targeting against public sector networks.

The targeting of government agencies in regions outside the typical Five Eyes focus zone underscores Beijing's expanding intelligence priorities, particularly across emerging strategic partners and competitors in Latin America and the Balkans.

The Attack Technique

Once inside a target network, UAT-8302 follows a disciplined post-compromise sequence. Operators harvest credentials, enumerate Active Directory, and use Impacket, custom PowerShell scripts, and open-source scanners to map every reachable endpoint before deploying additional malware.

The group's malware arsenal includes:

• NetDraft: A .NET-based backdoor linked to the FinDraft and SquidDoor families
• CloudSorcerer: An updated variant of the previously documented backdoor that abuses legitimate cloud services for command and control
• VSHELL: A widely seen implant in China-nexus operations
• SNAPPYBEE and ZingDoor: Deployed together in at least one documented intrusion, a pairing previously flagged by Trend Micro in 2024 reporting

By layering legitimate cloud infrastructure on top of custom backdoors, UAT-8302 makes command-and-control traffic blend into routine network activity, frustrating perimeter detection.

What Organizations Should Do

1. Hunt for the named tooling: Build detections for NetDraft, CloudSorcerer, VSHELL, SNAPPYBEE, and ZingDoor indicators published by Cisco Talos and Trend Micro.
2. Monitor for Impacket and PowerShell abuse: Treat unusual Impacket-style SMB and WMI activity, plus suspicious PowerShell execution, as high-priority alerts in government environments.
3. Audit cloud egress traffic: CloudSorcerer abuses legitimate cloud services for C2; baseline outbound connections to cloud APIs and flag anomalous endpoints or volumes.
4. Lock down Active Directory reconnaissance: Deploy honey accounts, restrict directory enumeration, and alert on bulk LDAP queries that signal early-stage mapping.
5. Enforce credential hygiene: Rotate privileged credentials, enforce phishing-resistant MFA, and restrict NTLM where feasible to blunt credential harvesting.
6. Threat hunt for long-dwell access: Given the group's patient tradecraft, retrospective hunts across 12 to 18 months of telemetry are warranted for any agency in scope.

Sources: UAT-8302 Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies