UAT-8302 Threat Group Steals Government Data With Custom Malware
Key Takeaways A China-linked advanced persistent threat (APT) group, UAT-8302, is targeting government entities in southeastern Europe. The group employs a sophisticated blend of custom malware and...
Key Takeaways
- A China-linked advanced persistent threat (APT) group, UAT-8302, is targeting government entities in southeastern Europe.
- The group employs a sophisticated blend of custom malware and legitimate cloud services, making detection challenging.
- UAT-8302 focuses on long-term data exfiltration and persistent access, indicating state-sponsored objectives.
- The threat group utilizes a diverse arsenal of backdoors, implants, and open-source tools for reconnaissance, lateral movement, and command and control.
China-Linked APT Group UAT-8302 Exploits Custom Malware and Open-Source Tools for Government Data Theft
A highly sophisticated threat actor, identified as UAT-8302 and believed to be linked to China, has been actively engaged in cyber espionage against government organizations, particularly in southeastern Europe. Active since at least late 2024, the group significantly escalated its operations throughout 2025, demonstrating a clear objective: establish covert, long-term access to exfiltrate sensitive information.
Table Of Content
- Key Takeaways
- China-Linked APT Group UAT-8302 Exploits Custom Malware and Open-Source Tools for Government Data Theft
- Methodical Reconnaissance and Evasion Tactics
- UAT-8302’s Custom Malware Arsenal
- Malware Deep Dive: NetDraft and CloudSorcerer
- Open-Source Tools and Lateral Movement
- What You Should Do
The danger posed by UAT-8302 stems from its remarkable ability to evade detection. By integrating legitimate cloud services and readily available open-source tools with its bespoke malware, the group effectively camouflages malicious activities within normal network traffic, presenting a significant challenge for defensive measures.
Researchers at Cisco Talos identified UAT-8302 as a China-nexus advanced persistent threat group, primarily tasked with acquiring and maintaining prolonged access to government and associated entities globally. Talos analysts confidently assert that UAT-8302 shares specific tools with other previously documented China-nexus clusters, including one tracked as LongNosedGoblin. This overlap in methodologies and tools suggests a close operational relationship among these groups.
Methodical Reconnaissance and Evasion Tactics
UAT-8302 exhibits exceptional patience, conducting exhaustive and systematic reconnaissance on every accessible endpoint before attempting deeper penetration into target environments. This meticulous, deliberate approach is a recognized characteristic of state-sponsored threat operations targeting high-value governmental infrastructure. Their strategy emphasizes stealth and persistence over rapid, disruptive attacks.
UAT-8302’s Custom Malware Arsenal
Once initial compromise is achieved, UAT-8302 follows a comprehensive post-compromise playbook. Their activities include credential harvesting, Active Directory information gathering, and meticulous mapping of the entire network infrastructure before deploying additional malware. This thorough understanding of the compromised environment dictates their subsequent moves.
The group leverages tools such as Impacket, custom PowerShell scripts, and open-source scanning engines to identify every reachable endpoint. This ensures a complete grasp of the network’s scope before proceeding with data exfiltration or further compromise.
The diverse array of malware families employed by UAT-8302 indicates a well-resourced and extensive toolkit. The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor families. They also utilize an updated version of the CloudSorcerer backdoor and the VSHELL implant. In one documented incident, UAT-8302 deployed SNAPPYBEE and ZingDoor concurrently, a tactic previously highlighted by Trend Micro in 2024 reporting on similar China-linked activities.
Malware Deep Dive: NetDraft and CloudSorcerer
NetDraft stands out as a key component of UAT-8302’s arsenal. It is typically delivered via a DLL side-loading technique, where a legitimate executable inadvertently loads a malicious DLL-based loader. This loader then decodes and executes NetDraft within an existing process on the compromised system. A critical feature of NetDraft is its use of the Microsoft Graph API for command-and-control (C2) communication, routing through OneDrive. This method allows the malware to blend seamlessly with legitimate cloud traffic, significantly hindering detection efforts. Talos refers to the embedded helper library used by NetDraft as “FringePorch.”
CloudSorcerer version 3 demonstrates adaptive behavior based on its execution environment. When injected into “dnapimg.exe,” it gathers system details and then pivots to “explorer.exe” to receive commands through a named pipe channel. Conversely, if executed within “spoolsv.exe,” it establishes contact with a GitHub repository to retrieve C2 information. This polymorphic behavior makes traditional security tools less effective. Talos also noted the presence of SNOWRUST, a Rust-based variant of the SNOWLIGHT stager, which has been observed in intrusions attributed to other China-nexus clusters.
Open-Source Tools and Lateral Movement
UAT-8302 extensively employs open-source tools for lateral movement within compromised networks. Following initial access, the group utilizes scanning utilities like gogo, naabu, httpx, and PortQry to map internal network services and identify new systems for pivoting. Credential harvesting is performed using tools such as adconnectdump.py and SharpGetUserLoginRDP, targeting MobaXterm sessions and Active Directory.
For maintaining persistent backdoor access, the group deploys Stowaway, a proxy tunneling tool developed in Simplified Chinese, which funnels external traffic into infected hosts within the enterprise. SoftEther VPN clients have also been observed in use, further enhancing their ability to maintain covert access.
What You Should Do
- Enhance Endpoint Detection: Ensure all endpoint detection and response (EDR) tools are up-to-date with the latest threat signatures to identify UAT-8302 malware families and associated tools.
- Monitor Cloud Traffic: Implement robust monitoring for unusual outbound traffic patterns to legitimate cloud platforms like OneDrive and GitHub, as these are exploited for C2 communications.
- Audit Scheduled Tasks and DLL Sideloading: Regularly audit scheduled tasks and investigate any suspicious DLL side-loading behavior across all managed endpoints, as these are common initial infection vectors.
- Strengthen Credential Management: Implement multi-factor authentication (MFA) across all accounts, especially for Active Directory and remote access services, and regularly rotate credentials.
- Network Segmentation: Segment networks to limit lateral movement in the event of a breach, making it harder for attackers to reach high-value assets.
- Threat Intelligence Integration: Integrate the provided Indicators of Compromise (IoCs) into your security information and event management (SIEM) systems and other security tools for proactive detection.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 1139b39d3cc151ddd3d574617cf11360812785019 7e9695fef0b6d78df82d6ca | NetDraft / FringePorch |
| SHA256 | e56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b | NetDraft / FringePorch |
| SHA256 | 51f0cf80a56f322892eed3b9f5ecae45f143132360 0edbaea5cd1f28b437f6f2 | NetDraft / FringePorch |
| SHA256 | 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b | VSHELL |
| SHA256 | 199bd156c81b2ef4fb259467a20eacaa9d861eeb2 002f1570727c2f9ff1d5dab | VSHELL |
| SHA256 | 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 | ZingDoor |
| SHA256 | 74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5 | gogo |
| SHA256 | 2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3 | gogo |
| SHA256 | 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001 | Stowaway |
| SHA256 | f859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea | Stowaway |
| SHA256 | 7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292 | anypoxy |
| SHA256 | 57GER1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38 | PortQry scan tool |
| SHA256 | 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c | DracuLoader |
| SHA256 | 4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab7 | SoftEther VPN |
| SHA256 | 3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e7 | SoftEther VPN |
| SHA256 | 9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb | SharpGetUserLoginRDP |
| SHA256 | b19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e74042 | SharpGetUserLoginRDP |
| SHA256 | 45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f4 | PortQry |
| SHA256 | fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00 | PortQry |
| Domain | www[.]drivelivelime[.]com | NetDraft C2 domain |
| URL | hxxps[://]www[.]drivelivelime[.]com/x | NetDraft C2 URL |
| URL | hxxps[://]www[.]drivelivelime[.]com/p | NetDraft C2 URL |
| Domain | msiidentity[.]com | C2 domain |
| URL | hxxps[://]msiidentity[.]com/pw | C2 URL |
| Domain | trafficmanagerupdate[.]com | C2 domain |
| URL | hxxp[://]trafficmanagerupdate[.]com/index[.]php | C2 URL |
| Domain | update-kaspersky[.]workers[.]dev | C2 domain (Cloudflare Worker) |
| IP Address | 85[.]209[.]156[.]3 | Stowaway proxy / C2 server |
| URL | hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe | Malware download URL |
| URL | hxxp[://]85[.]209[.]156[.]3:8082/wagent[.]exe | Malware download URL |
| IP Address | 185[.]238[.]189[.]41 | C2 server |
| IP Address | 103[.]27[.]108[.]55 | C2 server |
| IP Address | 38[.]54[.]32[.]244 | Malware staging server |
| URL | hxxp[://]38[.]54[.]32[.]244/Rar[.]exe | RAR archive download |
| IP Address | 45[.]140[.]168[.]62 | C2 server |
| IP Address | 88[.]151[.]195[.]133 | C2 server |
| IP Address | 156[.]238[.]224[.]82 | C2 server |
| IP Address | 45[.]135[.]135[.]100 | C2 server (anypoxy) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.