A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups.
Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor) that has been previously linked to threat clusters known as Ink Dragon, CL-STA-0049, Earth Alux, Jewelbug, and REF7707.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the name LuckyStrike Agent.
Some of the other tools utilized by UAT-8302 are as follows –
- CloudSorcerer, a backdoor observed in attacks targeting Russian entities since May 2024.
- SNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.
- Deed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor, both of which have been deployed by Earth Estries in late 2024.
- Draculoader, a generic shellcode loader that’s used to deliver Crowdoor and HemiGate.
“Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least,” Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today.
“Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.”
It’s currently not known what initial access methods the adversary employs to break into target networks, but it’s suspected to involve the tried-and-tested approach of weaponizing zero-day and N-day exploits in web applications.
Upon gaining a foothold, the attackers are known to conduct extensive reconnaissance to map out the network, run open-source tools like gogo to perform automated scanning, and move laterally across the environment. The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it. Besides using custom malware, the threat actor sets up alternative means of backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN.
The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups.In October 2025, Trend Micro shed light on a phenomenon called Premier Pass-as-a-Service, where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023.
“Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases,” Trend Micro said. “Although the full extent of this model is not yet known, the limited number of observed incidents, combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed