Cisco Talos disclosed on May 5, 2026 that UAT-8302, a China-nexus APT group, has conducted government espionage campaigns against South American agencies beginning in late 2024 and southeastern European government agencies through 2025. The group deploys a shared arsenal of custom malware families used across multiple Chinese-aligned threat actor clusters — including NetDraft/NosyDoor, CloudSorcerer v3.0, Deed RAT, and Draculoader — with tool overlap confirmed against Ink Dragon, Earth Alux, Jewelbug, and REF7707, according to Cisco Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White.
UAT-8302’s Simultaneous Campaigns Targeting Government Agencies on Two Continents
Cisco Talos documented UAT-8302 operating against government entities in two separate regions in overlapping timeframes. South American government agencies were targeted beginning in late 2024. Southeastern European government agencies were targeted through 2025. The Talos research, published May 5, 2026, attributes both campaigns to the same threat actor cluster based on shared malware infrastructure and tooling.
No CVEs were disclosed in connection with UAT-8302’s intrusion operations. Talos assessed that initial access was achieved through exploitation of N-day and zero-day vulnerabilities in web applications, based on the behavioral evidence gathered across both regional campaigns.
Malware Arsenal: Six Custom Families Shared Across Chinese APT Designations
UAT-8302 deploys six documented custom malware families in post-exploitation phases of its campaigns:
- NetDraft / NosyDoor — a .NET-based backdoor
- CloudSorcerer v3.0 — previously documented in Chinese APT operations
- SNOWLIGHT / VShell stagers — lightweight loaders used in initial access and staging phases
- Deed RAT (Snappybee) — a modular remote access tool
- Zingdoor — additional backdoor capability
- Draculoader — shellcode loader used to deliver subsequent payloads
Talos confirmed that this malware set overlaps with tooling used by four separately designated Chinese-speaking threat actor clusters: Ink Dragon, Earth Alux, Jewelbug, and REF7707. The tool-sharing model means that organizations monitoring for indicators attributed to any of those four groups may be observing activity by the same underlying capability pool that UAT-8302 draws from.
Shared Infrastructure and Tool-Sharing Across Chinese APT Clusters Complicates Attribution and Defense
The documented overlap between UAT-8302’s tools and the arsenals of Ink Dragon, Earth Alux, Jewelbug, and REF7707 reflects a coordinated infrastructure and development model among Chinese-aligned APT operations. When multiple threat actor designations share malware families and command-and-control infrastructure, indicator-based detection approaches tied to a single named group provide incomplete coverage.
Talos’ attribution of UAT-8302 is based on malware overlap with multiple Chinese-speaking threat actor groups rather than direct attribution to a specific Chinese government unit.
Government Targets in South America and Southeastern Europe
UAT-8302’s targeting of South American government agencies represents the continuation of a documented Chinese APT focus on government entities in a region where China maintains active diplomatic and economic engagement. The simultaneous southeastern European campaign adds a second regional theater to UAT-8302’s documented operations.
Talos did not publicly name specific government agencies or countries targeted within South America or southeastern Europe in the May 5 disclosure. The campaigns’ multi-year duration — with South American operations active since late 2024 and southeastern European operations tracked through 2025 — indicates sustained access objectives rather than opportunistic or one-time intrusions.
Cisco Talos Research Team Attribution
The UAT-8302 findings were published by Cisco Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White on May 5, 2026. The disclosure follows Talos’ standard practice of publishing technical research on APT groups and their associated malware families. The Talos team provided technical indicators, malware family descriptions, and tool-overlap analysis across the four related Chinese threat actor designations in the published research.
