UAT-8302 and its box full of malware
Essential information
- Published
- 05/05/2026 14:07
- Modified
- 05/05/2026 16:07
- Tags
- 2026-05-05 cloudsorcerer deedrat draculoader finaldraft fringeporch netdraft nosydoor snappybee snowlight snowrust squiddoor vshell zingdoor
- Related entities
- 3 vulnerabilities (cve), 33 observables, 1 intrusion sets (apt), 20 techniques (mitre), 13 malware, 7 others
Description
UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.