China-Linked UAT-8302 Hackers Target Government Agencies in South America and Southeastern Europe
A sophisticated China-linked advanced persistent threat (APT) group, tracked as UAT-8302, has been conducting covert cyberespionage campaigns against government agencies in South America and southeastern Europe since at least late 2024, with operations intensifying through 2025. The group’s primary objective is long-term access and data exfiltration, employing a blend of custom malware and open-source tools to evade detection.
Tactics and Techniques
UAT-8302 distinguishes itself through stealth and patience, leveraging legitimate cloud services (e.g., Microsoft Graph API, OneDrive, GitHub) and open-source reconnaissance tools (gogo, naabu, httpx, PortQry) to blend malicious activity with normal network traffic. Their approach includes:
- Deep reconnaissance of compromised endpoints before lateral movement.
- Credential harvesting via tools like adconnectdump.py and SharpGetUserLoginRDP.
- DLL side-loading to deploy malware while avoiding detection.
- Proxy tunneling (e.g., Stowaway, SoftEther VPN) to maintain persistent access.
Malware Arsenal
The group deploys a diverse toolkit, including:
- NetDraft: A .NET-based backdoor using OneDrive for command-and-control (C2) communication, tracked by Cisco Talos as FringePorch.
- CloudSorcerer v3: A shape-shifting backdoor that alters behavior based on the host process (e.g., dnapimg.exe for system profiling, spoolsv.exe for GitHub-based C2).
- VSHELL, SNAPPYBEE, ZingDoor: Additional implants observed in intrusions, with overlaps in tooling linked to other China-nexus clusters like LongNosedGoblin.
- SNOWRUST: A Rust-based stager variant of SNOWLIGHT, previously attributed to Chinese APTs.
Attribution and Operational Links
Cisco Talos researchers assessed high confidence that UAT-8302 is a China-nexus group, citing shared infrastructure and tooling with other known clusters. The group’s methodical, state-sponsored-style operations align with objectives targeting high-value government infrastructure for intelligence gathering.
Indicators of Compromise (IoCs)
Key artifacts include:
- Domains: drivelivelime[.]com, msiidentity[.]com, trafficmanagerupdate[.]com
- IPs: 85.209.156[.]3, 185.238.189[.]41, 45.140.168[.]62
- Malware hashes: NetDraft (SHA256: 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca), VSHELL (SHA256: 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b)
The campaign underscores the evolving sophistication of state-backed cyberespionage, combining custom malware with legitimate services to bypass traditional defenses.
Source: https://cybersecuritynews.com/uat-8302-uses-custom-malware-and-open-source-tools/
SELEC (Southeast European Law Enforcement Center) cybersecurity rating report: https://www.rankiteo.com/company/southeast-european-law-enforcement-center-selec
Southern California Association of Governments cybersecurity rating report: https://www.rankiteo.com/company/southern-california-association-of-governments
"id": "SOUSOU1778164084",
"linkid": "southeast-european-law-enforcement-center-selec, southern-california-association-of-governments",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public sector',
'location': ['South America', 'Southeastern Europe'],
'type': 'Government agencies'}],
'attack_vector': ['Phishing',
'DLL side-loading',
'Proxy tunneling',
'Legitimate cloud services abuse'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Government intelligence',
'Credentials',
'System profiling data']},
'date_detected': '2024',
'date_publicly_disclosed': '2025',
'description': 'A sophisticated China-linked advanced persistent threat (APT) '
'group, tracked as UAT-8302, has been conducting covert '
'cyberespionage campaigns against government agencies in South '
'America and southeastern Europe since at least late 2024, '
'with operations intensifying through 2025. The group’s '
'primary objective is long-term access and data exfiltration, '
'employing a blend of custom malware and open-source tools to '
'evade detection.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'government cybersecurity',
'data_compromised': 'Government intelligence, sensitive '
'communications',
'identity_theft_risk': 'High (credential harvesting, PII exposure)',
'operational_impact': 'Persistent unauthorized access, potential '
'disruption of government operations',
'systems_affected': 'Government agency endpoints, cloud services '
'(OneDrive, GitHub)'},
'initial_access_broker': {'backdoors_established': True,
'high_value_targets': 'Government agencies'},
'investigation_status': 'Ongoing',
'lessons_learned': 'State-backed APT groups are increasingly leveraging '
'legitimate cloud services and open-source tools to evade '
'detection, necessitating enhanced monitoring of unusual '
'activity in trusted platforms.',
'motivation': 'Intelligence gathering, long-term access, data exfiltration',
'post_incident_analysis': {'corrective_actions': ['Deploy advanced endpoint '
'detection and response '
'(EDR) solutions',
'Implement network '
'segmentation to limit '
'lateral movement',
'Enhance logging and '
'monitoring of cloud '
'service usage'],
'root_causes': ['Lack of robust monitoring for '
'legitimate cloud service abuse',
'Insufficient detection of DLL '
'side-loading and proxy tunneling '
'techniques',
'Credential harvesting '
'vulnerabilities']},
'recommendations': ['Implement multi-factor authentication (MFA) for all '
'government systems.',
'Monitor and restrict access to legitimate cloud services '
'(e.g., OneDrive, GitHub) for unusual activity.',
'Deploy advanced threat detection for DLL side-loading '
'and proxy tunneling techniques.',
'Conduct regular security audits of government endpoints '
'and network infrastructure.',
'Enhance employee training on phishing and credential '
'harvesting risks.'],
'references': [{'source': 'Cisco Talos'}],
'response': {'third_party_assistance': 'Cisco Talos (investigation and '
'attribution)'},
'stakeholder_advisories': 'Government agencies in South America and '
'Southeastern Europe should review their '
'cybersecurity posture and monitor for indicators '
'of compromise (IoCs) associated with UAT-8302.',
'threat_actor': 'UAT-8302 (China-linked APT group)',
'title': 'China-Linked UAT-8302 Hackers Target Government Agencies in South '
'America and Southeastern Europe',
'type': 'Cyberespionage'}