Chinese APT Group UAT-8302 Targets Global Government Entities with Sophisticated Malware
Cisco Talos has identified UAT-8302, a sophisticated advanced persistent threat (APT) group associated with China, actively targeting government entities in South America and southeastern Europe since late 2024. These operations reveal UAT-8302’s significant capability in deploying various customizable malware families alongside tools commonly utilized by other known China-affiliated actors.
The group deploys a .NET-based backdoor named “NetDraft,” a variant of the FinalDraft/SquidDoor malware family. This family has established ties to several other Chinese APT actors. UAT-8302 also utilizes an updated version of the CloudSorcerer backdoor, previously noted for targeting Russian governmental organizations. Additional tools in their arsenal include visual stagers like SNOWLIGHT and a new Rust-based stager identified as SNOWRUST. Talos emphasizes that UAT-8302 efficiently combines open-source tools for reconnaissance and credential extraction to maintain long-term access to compromised networks.
In their post-compromise activities, UAT-8302 engages in thorough reconnaissance and information gathering using both custom scripts and open-source tools like Impacket. They are observed performing extensive network scans and credential extractions, systematically proliferating malware within the target networks. The reconnaissance phase involves various commands executed for gathering system and domain information, while metrics from these operations suggest a strategic focus on maintaining persistent access within the targeted environments.
Defensive Context
Organizations operating within government and public sector frameworks should prioritize awareness of this threat. Those without significant governmental ties or operations in the affected regions may be less immediately impacted by these activities.
Why This Matters
The UAT-8302 campaign presents a real risk to government entities, particularly in regions such as South America and southeastern Europe, where the group maintains active operations. The deployment of sophisticated malware raises concerns regarding data security and national security.
Defender Considerations
Defenders should specifically monitor for indicators associated with NetDraft and CloudSorcerer versions, given their deployment in UAT-8302 operations. Detection opportunities may arise from analyzing reconnaissance tool usage and the implementation of PowerShell scripts for information gathering.
Indicators of Compromise (IOCs)
- NetDraft File Hashes:
- 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca
- Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b
- CloudSorcerer File Hashes:
- 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b
- Malicious Domains:
- hxxps://www.drivelivelime.com
- hxxps://msiidentity.com
- 85.209.156.3:56456
These IOCs are crucial for detection and defensive actions against potential breaches linked to UAT-8302’s operations.
