Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
July 15, 2026
Home/Threats/UAT-8302 Threat Group Steals Government Data With Custom Malware
Threats

UAT-8302 Threat Group Steals Government Data With Custom Malware

Key Takeaways A China-linked advanced persistent threat (APT) group, UAT-8302, is targeting government entities in southeastern Europe. The group employs a sophisticated blend of custom malware and...

Jennifer sherman
Jennifer sherman
May 7, 2026 4 Min Read
65 0

Key Takeaways

  • A China-linked advanced persistent threat (APT) group, UAT-8302, is targeting government entities in southeastern Europe.
  • The group employs a sophisticated blend of custom malware and legitimate cloud services, making detection challenging.
  • UAT-8302 focuses on long-term data exfiltration and persistent access, indicating state-sponsored objectives.
  • The threat group utilizes a diverse arsenal of backdoors, implants, and open-source tools for reconnaissance, lateral movement, and command and control.

China-Linked APT Group UAT-8302 Exploits Custom Malware and Open-Source Tools for Government Data Theft

A highly sophisticated threat actor, identified as UAT-8302 and believed to be linked to China, has been actively engaged in cyber espionage against government organizations, particularly in southeastern Europe. Active since at least late 2024, the group significantly escalated its operations throughout 2025, demonstrating a clear objective: establish covert, long-term access to exfiltrate sensitive information.

Table Of Content

  • Key Takeaways
  • China-Linked APT Group UAT-8302 Exploits Custom Malware and Open-Source Tools for Government Data Theft
  • Methodical Reconnaissance and Evasion Tactics
  • UAT-8302’s Custom Malware Arsenal
  • Malware Deep Dive: NetDraft and CloudSorcerer
  • Open-Source Tools and Lateral Movement
  • What You Should Do

The danger posed by UAT-8302 stems from its remarkable ability to evade detection. By integrating legitimate cloud services and readily available open-source tools with its bespoke malware, the group effectively camouflages malicious activities within normal network traffic, presenting a significant challenge for defensive measures.

Researchers at Cisco Talos identified UAT-8302 as a China-nexus advanced persistent threat group, primarily tasked with acquiring and maintaining prolonged access to government and associated entities globally. Talos analysts confidently assert that UAT-8302 shares specific tools with other previously documented China-nexus clusters, including one tracked as LongNosedGoblin. This overlap in methodologies and tools suggests a close operational relationship among these groups.

Methodical Reconnaissance and Evasion Tactics

UAT-8302 exhibits exceptional patience, conducting exhaustive and systematic reconnaissance on every accessible endpoint before attempting deeper penetration into target environments. This meticulous, deliberate approach is a recognized characteristic of state-sponsored threat operations targeting high-value governmental infrastructure. Their strategy emphasizes stealth and persistence over rapid, disruptive attacks.

UAT-8302’s Custom Malware Arsenal

Once initial compromise is achieved, UAT-8302 follows a comprehensive post-compromise playbook. Their activities include credential harvesting, Active Directory information gathering, and meticulous mapping of the entire network infrastructure before deploying additional malware. This thorough understanding of the compromised environment dictates their subsequent moves.

The group leverages tools such as Impacket, custom PowerShell scripts, and open-source scanning engines to identify every reachable endpoint. This ensures a complete grasp of the network’s scope before proceeding with data exfiltration or further compromise.

The diverse array of malware families employed by UAT-8302 indicates a well-resourced and extensive toolkit. The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor families. They also utilize an updated version of the CloudSorcerer backdoor and the VSHELL implant. In one documented incident, UAT-8302 deployed SNAPPYBEE and ZingDoor concurrently, a tactic previously highlighted by Trend Micro in 2024 reporting on similar China-linked activities.

Malware Deep Dive: NetDraft and CloudSorcerer

NetDraft stands out as a key component of UAT-8302’s arsenal. It is typically delivered via a DLL side-loading technique, where a legitimate executable inadvertently loads a malicious DLL-based loader. This loader then decodes and executes NetDraft within an existing process on the compromised system. A critical feature of NetDraft is its use of the Microsoft Graph API for command-and-control (C2) communication, routing through OneDrive. This method allows the malware to blend seamlessly with legitimate cloud traffic, significantly hindering detection efforts. Talos refers to the embedded helper library used by NetDraft as “FringePorch.”

CloudSorcerer version 3 demonstrates adaptive behavior based on its execution environment. When injected into “dnapimg.exe,” it gathers system details and then pivots to “explorer.exe” to receive commands through a named pipe channel. Conversely, if executed within “spoolsv.exe,” it establishes contact with a GitHub repository to retrieve C2 information. This polymorphic behavior makes traditional security tools less effective. Talos also noted the presence of SNOWRUST, a Rust-based variant of the SNOWLIGHT stager, which has been observed in intrusions attributed to other China-nexus clusters.

Open-Source Tools and Lateral Movement

UAT-8302 extensively employs open-source tools for lateral movement within compromised networks. Following initial access, the group utilizes scanning utilities like gogo, naabu, httpx, and PortQry to map internal network services and identify new systems for pivoting. Credential harvesting is performed using tools such as adconnectdump.py and SharpGetUserLoginRDP, targeting MobaXterm sessions and Active Directory.

For maintaining persistent backdoor access, the group deploys Stowaway, a proxy tunneling tool developed in Simplified Chinese, which funnels external traffic into infected hosts within the enterprise. SoftEther VPN clients have also been observed in use, further enhancing their ability to maintain covert access.

What You Should Do

  • Enhance Endpoint Detection: Ensure all endpoint detection and response (EDR) tools are up-to-date with the latest threat signatures to identify UAT-8302 malware families and associated tools.
  • Monitor Cloud Traffic: Implement robust monitoring for unusual outbound traffic patterns to legitimate cloud platforms like OneDrive and GitHub, as these are exploited for C2 communications.
  • Audit Scheduled Tasks and DLL Sideloading: Regularly audit scheduled tasks and investigate any suspicious DLL side-loading behavior across all managed endpoints, as these are common initial infection vectors.
  • Strengthen Credential Management: Implement multi-factor authentication (MFA) across all accounts, especially for Active Directory and remote access services, and regularly rotate credentials.
  • Network Segmentation: Segment networks to limit lateral movement in the event of a breach, making it harder for attackers to reach high-value assets.
  • Threat Intelligence Integration: Integrate the provided Indicators of Compromise (IoCs) into your security information and event management (SIEM) systems and other security tools for proactive detection.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA256 1139b39d3cc151ddd3d574617cf11360812785019 7e9695fef0b6d78df82d6ca NetDraft / FringePorch
SHA256 e56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b NetDraft / FringePorch
SHA256 51f0cf80a56f322892eed3b9f5ecae45f143132360 0edbaea5cd1f28b437f6f2 NetDraft / FringePorch
SHA256 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b VSHELL
SHA256 199bd156c81b2ef4fb259467a20eacaa9d861eeb2 002f1570727c2f9ff1d5dab VSHELL
SHA256 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 ZingDoor
SHA256 74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5 gogo
SHA256 2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3 gogo
SHA256 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001 Stowaway
SHA256 f859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea Stowaway
SHA256 7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292 anypoxy
SHA256 57GER1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38 PortQry scan tool
SHA256 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c DracuLoader
SHA256 4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab7 SoftEther VPN
SHA256 3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e7 SoftEther VPN
SHA256 9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb SharpGetUserLoginRDP
SHA256 b19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e74042 SharpGetUserLoginRDP
SHA256 45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f4 PortQry
SHA256 fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00 PortQry
Domain www[.]drivelivelime[.]com NetDraft C2 domain
URL hxxps[://]www[.]drivelivelime[.]com/x NetDraft C2 URL
URL hxxps[://]www[.]drivelivelime[.]com/p NetDraft C2 URL
Domain msiidentity[.]com C2 domain
URL hxxps[://]msiidentity[.]com/pw C2 URL
Domain trafficmanagerupdate[.]com C2 domain
URL hxxp[://]trafficmanagerupdate[.]com/index[.]php C2 URL
Domain update-kaspersky[.]workers[.]dev C2 domain (Cloudflare Worker)
IP Address 85[.]209[.]156[.]3 Stowaway proxy / C2 server
URL hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe Malware download URL
URL hxxp[://]85[.]209[.]156[.]3:8082/wagent[.]exe Malware download URL
IP Address 185[.]238[.]189[.]41 C2 server
IP Address 103[.]27[.]108[.]55 C2 server
IP Address 38[.]54[.]32[.]244 Malware staging server
URL hxxp[://]38[.]54[.]32[.]244/Rar[.]exe RAR archive download
IP Address 45[.]140[.]168[.]62 C2 server
IP Address 88[.]151[.]195[.]133 C2 server
IP Address 156[.]238[.]224[.]82 C2 server
IP Address 45[.]135[.]135[.]100 C2 server (anypoxy)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Scammers Evade Call Blocking with VoIP Numbers and Windows Reuse

Next Post

Fake Claude AI Installers Deliver Malware, Not Anthropic’s Chatbot

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
FaceTime Call Impersonation Fraud Hijacks Bank Accounts
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us