A newly exposed China-linked APT group is now considered one of the most dangerous state-aligned threats of 2026. Tracked by Cisco Talos as UAT-8302, the cluster has been quietly hitting government entities across South America since late 2024 and government agencies in Southeastern Europe through 2025 — and what makes it terrifying is not just the targets, but the way it shares custom malware with at least six other Chinese hacking groups in what researchers are calling a coordinated APT toolkit ecosystem.
If you operate a government network, run a managed service provider, or sit on the security team of any organization with ties to public-sector clients, this is the threat advisory you cannot afford to skip. We break down the full attack chain, the malware families being weaponized, the indicators of compromise (IOCs), and the exact defensive architecture every IT team should deploy this week.
Quick TL;DR UAT-8302 is a China-nexus APT that has been targeting government networks since late 2024 using a shared toolkit of custom malware including NetDraft (a C# variant of FINALDRAFT/Squidoor), CloudSorcerer 3.0, SNOWLIGHT, Deed RAT, Zingdoor, and Draculoader. The same tools have been used by Earth Estries, UNC5174, Jewelbug, REF7707, and Ink Dragon — pointing to a “Premier Pass-as-a-Service” model where Chinese APTs hand off compromised access to one another. Patch your perimeter, segment your network, and assume zero-day exploitation of every public-facing web app.
Table of Contents
What Is the China-Linked APT UAT-8302?
UAT-8302 is the codename Cisco Talos researchers have assigned to a previously unattributed cluster of cyberattacks targeting government networks across three continents. The group is assessed as China-nexus or Chinese-speaking based on its tooling, operational patterns, and overlapping infrastructure with several already-identified Chinese state-aligned APT actors.
What sets this China-linked APT apart from earlier discoveries is the shared malware ecosystem. UAT-8302 is not operating with bespoke tooling built only for itself. Instead, the cluster reuses custom-built backdoors, loaders, and stagers that have also been deployed by Earth Estries, UNC5174, UAT-6382, Jewelbug, Ink Dragon, and CL-STA-0049. According to Talos, this points to either direct collaboration between the groups or a centralized supplier providing tooling to multiple operators.
For a defender, the practical implication is brutal: a single set of detection signatures can light up activity from half a dozen separate Chinese APT clusters at once — but only if you have the right telemetry in place to spot them.
Confirmed targets so far:
- Government entities in South America (active since late 2024)
- Government agencies in Southeastern Europe (active through 2025)
- Russian IT organizations (separately, by an associated cluster called Erudite Mogwai / Space Pirates / Webworm)
- Adjacent targets: managed service providers (MSPs), hosting providers, and IT vendors with downstream government clients
Key facts about the China-linked APT UAT-8302:
- Attribution confidence: China-nexus / Chinese-speaking (high)
- Active since: Late 2024
- Public disclosure: May 5, 2026 (Cisco Talos)
- Malware families: NetDraft (NosyDoor), CloudSorcerer 3.0, SNOWLIGHT, SNOWRUST, VShell, Deed RAT (Snappybee), Zingdoor, Draculoader
- Auxiliary tools: Stowaway, SoftEther VPN, gogo (network scanner)
- Linked groups: Earth Estries, UNC5174, UAT-6382, Jewelbug, Ink Dragon, CL-STA-0049, REF7707, LongNosedGoblin, Earth Naga
- Initial access vector: Suspected zero-day and N-day exploitation of public-facing web applications
Why This China-Linked APT Matters for Every IT Team in 2026
You might be reading this thinking: “I run a small business. Why do I care about a state-sponsored APT targeting governments in Romania and Brazil?”
Three reasons.
First, the supply chain is the target. UAT-8302 and its associated clusters have repeatedly hit MSPs, hosting providers, and IT vendors as a way to reach their real targets. If your business sits anywhere in the supply chain of a government client — a contractor, a SaaS vendor, a network integrator — you are an attractive stepping stone. The recent cPanel CVE-2026-41940 exploitation campaign showed exactly the same pattern, with attackers explicitly going after MSPs to compromise their downstream tenants. Our detailed breakdown of the cPanel vulnerability and 7-step patch guide covers the full mechanics of that campaign.
Second, the tools migrate down the food chain. Custom APT malware does not stay exclusive to its creators for long. The same NetDraft/NosyDoor/Squidoor family has already shown up in attacks against Russian IT firms by a separate cluster. Within twelve months, expect cybercriminal groups and ransomware affiliates to repurpose these tools for financially-motivated campaigns against small businesses. The 2026 attack pattern is unmistakable.
Third, perimeter exploitation is now the universal entry point. UAT-8302’s suspected initial-access method is the same one being used by every major threat actor in 2026 — exploiting zero-day and N-day vulnerabilities in public-facing web applications, firewalls, VPNs, and control panels. If your perimeter is not hardened, you are not just exposed to one Chinese APT. You are exposed to all of them, plus every cybercriminal group reading the same exploit feeds.
For organizations running on outdated firewall hardware, this is the moment to upgrade. Our authorized-reseller catalog at Jazz Cyber Shield carries the latest enterprise firewalls from SonicWall, Fortinet, Cisco, and WatchGuard, with full IPS and threat intelligence subscriptions configured for 2026 threat landscapes.
The UAT-8302 Malware Arsenal — What Defenders Need to Know
The China-linked APT UAT-8302 deploys a layered toolkit, with each piece of malware playing a specific role in the kill chain. Understanding what each one does is essential for writing the right detections.
NetDraft (also known as NosyDoor / LuckyStrike Agent / Squidoor variant). A .NET-based backdoor and the operational centerpiece of UAT-8302 campaigns. NetDraft is a C# rewrite of the FINALDRAFT family that was previously linked to Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707 clusters. ESET tracks the same malware under the name “LongNosedGoblin,” while Russian cybersecurity firm Solar refers to it as LuckyStrike Agent when deployed by Erudite Mogwai (Space Pirates / Webworm) against Russian targets. Same backdoor, three different names, multiple operators.
CloudSorcerer (version 3.0). A backdoor first observed in attacks against Russian entities since May 2024. Now actively deployed by UAT-8302 against South American and European government targets, indicating tooling crossover between Chinese state operations targeting different geopolitical zones.
SNOWLIGHT. A staging payload that downloads and runs VShell, an open-source post-exploitation framework. Talos has previously documented SNOWLIGHT use by UNC5174, UNC6586, and UAT-6382. UAT-8302 has now added a Rust-based variant called SNOWRUST that performs the same staging function with improved evasion.
VShell. An open-source post-exploitation tool — essentially a Chinese-language equivalent of Cobalt Strike or Sliver. Heavily used across Chinese APT operations because it provides full remote shell access while looking generic enough to plausibly appear in legitimate red-team activity.
Deed RAT (also known as Snappybee). A successor to the infamous ShadowPad backdoor, deployed by Earth Estries and now adopted into UAT-8302 operations. ShadowPad has been a fixture of Chinese state cyber operations for years, and Deed RAT inherits its modular plugin architecture.
Zingdoor. Another Earth Estries-linked backdoor that has migrated into UAT-8302 toolkits. Used primarily for long-term persistence and credential harvesting.
Draculoader. A generic shellcode loader used to deliver Crowdoor and HemiGate, two additional China-nexus backdoors. The presence of Draculoader in a network is a strong indicator that one of these later-stage payloads is incoming.
Auxiliary tools. UAT-8302 supplements its custom malware with Stowaway (a Chinese-language tunneling tool), SoftEther VPN (for command-and-control egress that blends with legitimate VPN traffic), and gogo — an open-source automated network scanner used during the lateral movement phase to enumerate every host, service, and credential across the compromised environment.
The 5-Stage Attack Chain: How UAT-8302 Operates
Based on Cisco Talos analysis of multiple confirmed intrusions, the UAT-8302 attack chain follows a consistent five-stage pattern. Understanding each stage tells your blue team where to focus detection effort.
Stage 1 — Initial Access via Web Application Exploitation. The attackers gain entry by weaponizing zero-day or N-day vulnerabilities in public-facing web applications. This is the same playbook used by virtually every major APT in 2026 — and the same one used in the recent SonicWall and Cisco firewall campaigns. If your perimeter contains an unpatched web application, an exposed admin panel, or an outdated CMS, that is your most likely entry point. For a comprehensive look at how perimeter exploitation has dominated 2026, our SonicWall and Fortinet firewall attacks deep-dive walks through the same access pattern.
Stage 2 — Reconnaissance. Once inside, UAT-8302 deploys the gogo scanner to enumerate the entire network — hosts, ports, services, shares, and authentication endpoints. This is loud activity if your endpoint detection and response (EDR) platform is tuned correctly, but the noise gets lost in normal IT operations on networks without proper baselining.
Stage 3 — Lateral Movement. With network mapping complete, the attackers move laterally using legitimate Windows tooling (living-off-the-land binaries) supplemented with Stowaway tunneling. This phase often lasts weeks before the attackers commit to deploying their main backdoors.
Stage 4 — Backdoor Deployment. The kill chain culminates with the deployment of NetDraft, CloudSorcerer 3.0, and VShell (delivered via SNOWLIGHT or SNOWRUST). These backdoors are configured for long-term, low-volume command-and-control communications — the goal is multi-month persistence, not flash-in-the-pan smash-and-grab.
Stage 5 — Persistence and Egress. UAT-8302 establishes redundant access using SoftEther VPN tunnels and proxy infrastructure that blends in with legitimate corporate VPN traffic. Even if defenders find and remove one backdoor, secondary access channels remain. This is why a “patch and remove the malware” response is insufficient — full network rebuild is often necessary.
5 Indicators of Compromise (IOCs) Every SOC Team Should Hunt For
If you have ever had a public-facing web app that was unpatched in 2024 or 2025, run these hunts immediately.
- Unusual outbound traffic to SoftEther VPN endpoints. Particularly to IPs in Asia-Pacific that do not match normal employee VPN patterns. UAT-8302 uses SoftEther specifically because it looks legitimate.
gogoscanner activity inside your network. Look for high-velocity TCP connect attempts across your internal address space from a single internal source — this is classic lateral-movement reconnaissance and gogo’s signature.- .NET assemblies loading from unusual paths. NetDraft is a .NET binary, and it often executes from user-writable directories like
%APPDATA%,%TEMP%, orC:\ProgramData\. EDR platforms should alert on .NET execution from these locations. - Stowaway command-line patterns. Stowaway typically uses recognizable command-line flags during deployment. Endpoint detection rules tuned to Stowaway’s CLI patterns will catch tunneling attempts.
- Unexpected VShell or Cobalt Strike-like beaconing. VShell traffic patterns mirror Cobalt Strike’s beacon behavior — periodic small HTTPS requests to command-and-control infrastructure with consistent intervals. Network detection and response (NDR) platforms tuned for beaconing will flag this.
For a continuous monitoring workflow that catches these IOCs in real time, our free network monitoring tools guide walks through the open-source stack you can deploy in under an hour.
6-Step Defensive Playbook Against UAT-8302 and Shared APT Tooling
Here is the exact defensive sequence every IT team should run this week.
Step 1 — Patch every public-facing web application. Initial access for UAT-8302 is web app exploitation. If you have an unpatched WordPress instance, Confluence server, GitLab installation, or admin panel exposed to the internet, that is your most likely breach vector. Run a full vulnerability scan today.
Step 2 — Deploy a next-generation firewall with IPS at the perimeter. A properly configured next-gen firewall with intrusion prevention signatures will block known APT infrastructure, beaconing patterns, and exploit attempts before they reach your servers. For small and mid-sized organizations, our buyer’s guide to the best firewalls for small businesses in 2026 ranks the top SonicWall, Fortinet, Cisco, and WatchGuard options by price point.
Step 3 — Implement Zero Trust Network Access (ZTNA) for all administrative interfaces. Never expose VPN portals, admin panels, RDP, or management interfaces to the public internet. Place every administrative service behind an identity-verified ZTNA gateway. Our complete Zero Trust Network Security guide for 2026 covers the full implementation roadmap.
Step 4 — Segment your network aggressively. Once UAT-8302 is inside, lateral movement is what amplifies the breach into a catastrophe. Strong network segmentation with VLANs, micro-segmentation, and east-west traffic inspection makes the gogo reconnaissance phase fail. A flat network is a fully-compromised network the moment one host falls.
Step 5 — Deploy EDR across every endpoint. Custom .NET backdoors like NetDraft are detectable by modern endpoint detection and response platforms — but only on endpoints where EDR is actually installed. Coverage gaps are where APTs live. Audit every server, workstation, and virtual machine to confirm EDR is deployed and reporting.
Step 6 — Subscribe to threat intelligence feeds and act on them. Cisco Talos, ESET, Solar, and Trend Micro all publish IOCs for these clusters within hours of detection. Your firewall, EDR, and SIEM platforms need to consume these feeds and auto-block the indicators. Manual quarterly threat hunting is not a 2026-grade defense.
The Bigger Story — Premier Pass-as-a-Service and the New China APT Economy
The most strategically important finding from the UAT-8302 disclosure is not the malware itself. It is the operational model that researchers are now calling Premier Pass-as-a-Service.
According to Trend Micro’s October 2025 analysis, initial access obtained by one Chinese APT (Earth Estries) is being passed to a second Chinese APT (Earth Naga) for follow-on exploitation. The first group does the hard work of breaching the perimeter, and the second group walks in through the open door to do the real espionage. This division of labor lets each cluster specialize — one in initial access, the other in long-term persistence — while collectively obscuring attribution.
For defenders, the implication is fundamental: you cannot model threats as single-actor campaigns anymore. A breach today by one Chinese APT may sit dormant for months before a second Chinese APT activates it. That is why patching after a known intrusion is not enough — the access has likely already been handed off.
The original Cisco Talos technical report on UAT-8302 is available here on The Hacker News for full technical detail, and we strongly recommend that every IT director, SOC analyst, and CISO read the original analysis alongside this defense-focused breakdown.
Frequently Asked Questions About the China-Linked APT UAT-8302
Q1. Is the China-linked APT UAT-8302 only targeting governments? The confirmed targets are governments in South America and Southeast Europe, plus Russian IT firms via an associated cluster. However, MSPs, hosting providers, and IT vendors with government client relationships are highly likely secondary targets, and the same tools are expected to migrate to cybercriminal groups within 12 months.
Q2. How does UAT-8302 differ from other Chinese APTs like Volt Typhoon or Salt Typhoon? Volt Typhoon and Salt Typhoon are focused on critical infrastructure and telecommunications espionage. UAT-8302 is focused on government and supply-chain targets, and is notable for sharing tooling with multiple other Chinese clusters rather than operating as a standalone unit.
Q3. My organization is not in South America or Southeast Europe. Am I safe? No. The malware families used by UAT-8302 — NetDraft, CloudSorcerer, SNOWLIGHT, Deed RAT, Zingdoor — have been deployed by associated Chinese APT groups against targets across Asia, Europe, the Americas, and Russia. Geographic targeting can shift rapidly.
Q4. What is the single most important defensive action I should take this week? Patch every public-facing web application and deploy a next-generation firewall with IPS at your perimeter. Initial access via web app exploitation is the universal entry point for UAT-8302 and virtually every other APT in 2026.
Q5. How do I know if I have been compromised by UAT-8302? Look for the IOCs above (gogo scanner activity, .NET binaries from unusual paths, Stowaway CLI patterns, SoftEther VPN tunnels, VShell beaconing). If you find any of these, engage an incident response firm immediately — do not attempt to clean the network yourself.
Q6. Will antivirus software catch NetDraft and CloudSorcerer? Signature-based antivirus alone is insufficient against custom APT malware. You need behavioral EDR with up-to-date threat intelligence feeds, plus network detection capabilities to catch beaconing and tunneling activity.
Final Word — The China-Linked APT Threat Is Not Slowing Down
The China-linked APT UAT-8302 disclosure is the second major Chinese APT exposure of 2026, following the Silk Typhoon extradition and ongoing Earth Estries operations. The pattern is now clear: Chinese state-aligned cyber operations are shifting from isolated unit-by-unit campaigns to a shared toolkit ecosystem where multiple groups operate from a common malware library, share initial access through Premier Pass-as-a-Service models, and maintain multi-year persistence inside government and supply-chain targets.
For every business — small, medium, or enterprise — the defensive answer is the same. Harden the perimeter. Adopt zero trust. Segment the network. Deploy EDR everywhere. Consume threat intelligence feeds in real time. And assume that any unpatched public-facing application has already been weaponized by someone, somewhere.
If you need the hardware to build that defensive perimeter, Jazz Cyber Shield supplies SonicWall, Fortinet, Cisco, WatchGuard, and HPE Aruba enterprise security appliances at authorized-reseller pricing with full configuration and threat intelligence subscriptions. For organizations that lost a quarter of their security budget to last year’s ransomware payout, the cost of a properly configured next-gen firewall is rounding error.
Patch your perimeter. Architect for zero trust. And assume the next Chinese APT is already inside someone in your supply chain — because statistically, it is.
