UAT-8302 and its box full of malware
Cisco Talos profiles UAT-8302, a China-nexus espionage cluster that has targeted government entities in South America and southeastern Europe since at least late 2024, and ties it to a shared tooling ecosystem used by other Chinese-speaking APTs. The report details deployment of multiple custom implants, including NetDraft, a .NET/C# variant of the FinalDraft/SquidDoor family, CloudSorcerer v3, VSHELL with the SNOWLIGHT stager, and a new Rust-based loader dubbed SNOWRUST, alongside tooling such as Draculoader, SNAPPYBEE/DeedRAT, and ZingDoor. Post-compromise activity is technically detailed: operators use Impacket and scripted PowerShell reconnaissance like whatpc.ps1, scheduled tasks for persistence, domain enumeration via nltest/net/whoami/systeminfo, ping sweeps, and SMB share discovery to map and laterally expand through victim networks. The value here is the infrastructure and malware-cluster correlation as much as the TTPs: Talos shows how UAT-8302 overlaps with previously disclosed China-linked campaigns, giving defenders concrete malware families, command patterns, and lateral movement behaviors to hunt for in government environments.