What malware tools did UAT-8302 use?

UAT-8302 utilized custom malware families such as NetDraft, CloudSorcerer, and SNOWLIGHT, which have been associated with other China-aligned APT groups. ([blog.talosintelligence.com](https://blog.talosintelligence.com/uat-8302/?utm_source=openai))

How can organizations defend against threats like UAT-8302?

Organizations should implement comprehensive security measures, including network segmentation, regular vulnerability assessments, and advanced threat detection systems to identify and mitigate sophisticated APT activities.

China-Linked UAT-8302 Targets Governments Using Shared APT Malware

Discover how the China-nexus APT group UAT-8302 targeted government entities across regions using shared malware tools. ([blog.talosintelligence.com](https://blog.talosintelligence.com/uat-8302/?utm_source=openai))

Published: May 5, 2026

Share this on:

Executive Summary

Between late 2024 and 2025, the China-nexus advanced persistent threat (APT) group UAT-8302 targeted government entities in South America and southeastern Europe. Post-compromise activities included deploying custom malware families such as NetDraft, CloudSorcerer, and SNOWLIGHT, tools previously associated with other China-aligned threat actors. The group conducted extensive reconnaissance, utilized open-source tools for automated scanning, and established alternative backdoor access using proxy and VPN tools. (blog.talosintelligence.com)

This incident highlights the increasing collaboration among China-aligned APT groups, sharing tools and tactics to enhance their cyber espionage capabilities. The use of shared malware underscores the need for organizations to adopt comprehensive security measures to detect and mitigate such sophisticated threats. (blog.talosintelligence.com)

Why This Matters Now

The UAT-8302 attacks demonstrate a growing trend of collaboration among China-aligned APT groups, sharing tools and tactics to enhance their cyber espionage capabilities. This underscores the urgent need for organizations to adopt comprehensive security measures to detect and mitigate such sophisticated threats. (blog.talosintelligence.com)

Attack Path Analysis

UAT-8302 likely gained initial access by exploiting zero-day or n-day vulnerabilities in web applications. After establishing a foothold, they conducted extensive reconnaissance using tools like Impacket and custom PowerShell scripts to gather system and network information. The attackers then moved laterally within the network, deploying custom malware such as NetDraft and CloudSorcerer to maintain persistence. They established command and control channels using backdoors and VPN tools like Stowaway and SoftEther VPN. Data exfiltration was achieved by transferring sensitive information to external servers. The impact included unauthorized access to government data and potential disruption of services.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

Lowinferred

Lateral Movement

High

Command & Control

High

Exfiltration

Mediuminferred

Impact

Lowinferred

Initial Compromise

Description

UAT-8302 likely exploited zero-day or n-day vulnerabilities in web applications to gain initial access.

Confidence:

Medium

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Execution

T1059

Command and Scripting Interpreter

Persistence

T1543

Create or Modify System Process

Privilege Escalation

T1055

Process Injection

Defense Evasion

T1070

Indicator Removal on Host

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malware Protection

Control ID: 6.4.1

The deployment of custom-made malware indicates a failure in implementing effective malware protection mechanisms.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy to address advanced persistent threats.

DORA – ICT Risk Management Framework

Control ID: Article 5

The attack highlights deficiencies in the ICT risk management framework, particularly in identifying and mitigating sophisticated threats.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The use of valid accounts by the threat actor points to weaknesses in identity and access management controls.

NIS2 Directive – Incident Handling

Control ID: Article 21

The breach underscores the need for improved incident handling procedures to detect and respond to APT activities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Primary target of UAT-8302 APT campaigns across South America and Europe, requiring enhanced zero trust segmentation and encrypted traffic monitoring for critical infrastructure protection.

Information Technology/IT

Critical exposure through multicloud environments and hybrid connectivity vulnerabilities, necessitating comprehensive east-west traffic security and threat detection capabilities against sophisticated APT malware.

Telecommunications

High-risk sector vulnerable to lateral movement and data exfiltration attacks, requiring robust egress security policies and anomaly detection systems to prevent APT persistence.

Defense/Space

Strategic target for China-linked APT groups seeking sensitive intelligence, demanding advanced Kubernetes security and inline intrusion prevention systems for classified network protection.

Sources

China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regionshttps://thehackernews.com/2026/05/china-linked-uat-8302-targets.html
Verified

UAT-8302 and its box full of malwarehttps://blog.talosintelligence.com/uat-8302/

Verified

NICKEL targeting government organizations across Latin America and Europehttps://www.microsoft.com/en-us/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/

Verified

Frequently Asked Questions

UAT-8302 is a sophisticated China-nexus advanced persistent threat (APT) group known for targeting government entities in South America and southeastern Europe, deploying custom malware families shared among China-aligned threat actors. ([blog.talosintelligence.com](https://blog.talosintelligence.com/uat-8302/?utm_source=openai))

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained by limiting exposure of vulnerable web applications through strict segmentation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-based access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely have been constrained by monitoring and controlling east-west traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels may have been disrupted by providing comprehensive visibility and control over network traffic.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely have been limited by enforcing strict egress policies.

Impact (Mitigations)

The overall impact of unauthorized access and service disruption could have been reduced by limiting the attacker's reach and ability to exfiltrate data.

Impact at a Glance

Affected Business Functions

Public Administration
Diplomatic Communications
National Security Operations

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Confidential government documents, diplomatic communications, and sensitive national security information.

Recommended Actions

• Implement East-West Traffic Security to monitor and control lateral movement within the network.
• Deploy Zero Trust Segmentation to enforce least privilege access and limit the spread of malware.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Establish Threat Detection & Anomaly Response mechanisms to identify and mitigate threats in real-time.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

China-Linked UAT-8302 Targets Governments Using Shared APT Malware

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Command and Scripting Interpreter

Create or Modify System Process

Process Injection

Indicator Removal on Host

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Malware Protection

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Incident Handling

Sector Implications

Government Administration

Information Technology/IT

Telecommunications

Defense/Space

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads