UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules

UAT-8302 is a China-nexus advanced persistent threat (APT — a nation-state or state-sponsored hacking group that maintains long-term covert access to target networks) whose malware analysis by Cisco Talos, published May 5, 2026, reveals a shared-tooling ecosystem targeting government entities across South America and southeastern Europe. The group deploys seven distinct malware families sourced from at least six other China-aligned threat clusters, with full IOCs (Indicators of Compromise — file hashes, C2 domains, and IP addresses used to identify malicious activity) and YARA rules now available to defenders. What makes UAT-8302 operationally significant is not novel zero-day development — it is the systematic recycling of custom implants across geographically separate campaigns, a pattern that collapses traditional single-actor attribution models and demands cross-cluster detection strategy.

Who Is UAT-8302: Attribution and Targeting

UAT-8302 is a newly designated cluster from Cisco Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White. Talos assesses with high confidence that the group is China-nexus and is tasked primarily with obtaining and maintaining long-term access to government and related entities worldwide.

Victimology:

• Government entities across South America — active since at least late 2024
• Government agencies in southeastern Europe — active in 2025

The South American targeting aligns with a documented 2025–2026 expansion of PRC (People’s Republic of China) cyber espionage into regions outside traditional Asia-Pacific focus areas. It maps to activity tracked as Earth 053 / Shadow (espionage across Asia and NATO partner nations) and is consistent with the infrastructure patterns highlighted in the CISA advisory on China-nexus covert network operations.

Attribution confidence rests on overlapping malware families: UAT-8302 shares tooling with Ink Dragon, CL-STA-0049, LongNosedGoblin (ESET’s name for the same cluster Talos calls Jewelbug / REF7707), Earth Estries, Earth Naga, UNC5174, and UNC6586. The same CloudSorcerer backdoor (version 3) was previously observed deployed by Erudite Mogwai (also tracked as Space Pirates and Webworm) against Russian government and IT organisations.

UAT-8302 Malware Analysis: The Shared-Arsenal Model

UAT-8302’s most important characteristic for defenders is what Talos calls the “Premier Pass-as-a-Service” collaboration model — a pattern active since at least late 2023, in which Earth Estries and Earth Naga share intrusion infrastructure, loaders, and custom backdoors across operationally distinct campaigns.

The direct implication: a YARA rule written against a UAT-8302 intrusion into a South American ministry will also fire on infrastructure from a separate Earth Estries campaign against a European defence contractor. Detection engineering built around actor-specific heuristics will miss these overlaps. Tool-based detection, anchored to shared malware families, catches them all.

| Malware Family | Type | Shared With | |—————-|——|————-| | NetDraft (NosyDoor) | .NET backdoor | Jewelbug, REF7707, CL-STA-0049, LongNosedGoblin | | CloudSorcerer v3 | Multi-stage backdoor | Erudite Mogwai (Space Pirates / Webworm) | | VSHELL + SNOWLIGHT | Shellcode implant + stager | UNC5174, UNC6586, UAT-6382 | | SNOWRUST | Rust-based stager | UAT-8302 (new Rust variant, first observed here) | | SNAPPYBEE / DeedRAT | RAT; ShadowPad successor | Earth Estries, Earth Naga | | ZingDoor | DLL backdoor | Earth Estries | | Draculoader | Shellcode loader | Earth Estries, Earth Naga |

Malware Families: Technical Deep-Dive

NetDraft (NosyDoor)

NetDraft is a C# (.NET Framework) backdoor and a direct code variant of the FINALDRAFT/SquidDoor malware family originally developed by the Jewelbug / REF7707 cluster. Talos calls it “NetDraft”; ESET’s LongNosedGoblin research refers to the same family as “NosyDoor.”

Delivery: A legitimate, signed executable is used to side-load a malicious DLL-based loader. The loader decodes NetDraft from an accompanying data file and executes it inside the parent process — a DLL side-loading (MITRE ATT&CK T1574.002 — Hijack Execution Flow: DLL Side-Loading) technique that bypasses application-layer allowlisting.

C2 protocol: NetDraft routes all command-and-control traffic through the Microsoft Graph API (the unified REST API for Microsoft 365 services), using OneDrive cloud storage as its C2 channel. Commands are written to and read from OneDrive draft items or shared folders. To a network monitoring tool, this traffic is indistinguishable from a legitimate OneDrive sync session. This technique aligns with MITRE ATT&CK T1102 — Web Service (using legitimate cloud services as C2).

Persistence: Creates a scheduled task at:

Microsoft\Windows\Maps\{a086ff1e-d6dc-45f7-b3e4-6udknw82sa}

Capabilities: Arbitrary command execution, in-memory .NET assembly loading, file upload and download to/from OneDrive, and persistent C2 communication. An embedded helper library named FringePorch is compressed and bundled using the Fody/Costura .NET packaging framework — a technique that embeds dependencies directly in the binary to complicate static analysis.

Confirmed SHA-256 hashes (NetDraft / FringePorch):

1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca
ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b
51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2

CloudSorcerer Version 3

CloudSorcerer is a multi-stage backdoor first observed targeting Russian government entities in May 2024, attributed to Erudite Mogwai. UAT-8302 deploys an updated v3 variant against South American and southeastern European government targets — the first documented reuse of this family outside of Russia-focused campaigns.

Delivery: A classic DLL side-loading triad: a legitimate executable drops mspdb60.dll (the malicious loader) alongside an encrypted .ini data file. Observed benign executables used as the side-loading carrier include Yandex.exe and VMtools.exe — chosen because their legitimate digital signatures reduce endpoint detection tool alerts.

Decryption: The loader applies a custom decryption algorithm to the .ini file to produce shellcode. This separates the payload from the loader, complicating static signature matching.

Process injection: Decoded shellcode is injected into one of three legitimate Windows processes: dpapimig.exe (Data Protection API migration helper), spoolsv.exe (print spooler service), or mspaint.exe (Paint). This technique (T1055 — Process Injection) hides malicious execution inside trusted system processes.

C2 discovery: CloudSorcerer v3 contacts GitHub repositories or GameSpot user profile pages to retrieve encoded C2 server addresses — a living-off-the-cloud technique (T1102) that makes C2 lookups appear as ordinary internet browsing traffic. Blocking the actual C2 IPs is insufficient; defenders must also monitor for abnormal GitHub/GameSpot requests from server processes.

Capabilities: System information gathering, recursive file system enumeration, and arbitrary command execution.

VSHELL, SNOWLIGHT, and SNOWRUST

VSHELL is a commercially available implant framework deployed via DLL side-loading. The malicious loader (wininet.dll) decodes a BIN-format payload file, then injects VSHELL into explorer.exe as position-independent shellcode (T1055.001 — Process Injection: Dynamic-Link Library Injection).

SNOWLIGHT is a generic downloader/stager shared across multiple China-nexus clusters including UNC5174, UNC6586, and UAT-6382 (the last of which exploited CVE-2025-0994, a Cityworks RCE zero-day, in a parallel campaign). SNOWLIGHT decodes payloads using single-byte XOR with key 0x99 — a simple obfuscation step that is trivially reversible once the key is known.

SNOWRUST is a new Rust-language variant of SNOWLIGHT, identified for the first time by Talos in UAT-8302 operations. It uses the LexiCrypt shellcode obfuscator (a Rust-native tool that applies layered encryption to shellcode before execution) to download and execute VSHELL payloads from remote staging servers. The use of Rust is notable: Rust-compiled binaries lack the predictable runtime metadata of C++ or .NET malware, making automated static analysis more difficult.

Confirmed SHA-256 hashes (VSHELL):

35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b
199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab

SNAPPYBEE / DeedRAT and ZingDoor

SNAPPYBEE (also called DeedRAT) is a remote access trojan regarded as the operational successor to ShadowPad — the modular implant platform widely shared across China-nexus groups since at least 2019. ShadowPad itself is considered a successor to PlugX, meaning DeedRAT/SNAPPYBEE sits at the apex of a long lineage of shared Chinese APT tooling. UAT-8302 deploys DeedRAT in tandem with ZingDoor, a DLL-based backdoor first documented by Trend Micro in late 2024 as part of Earth Estries operations. The pairing of both tools in the same intrusion mirrors Earth Estries’ own operational pattern — a direct indicator of shared playbook as well as shared code.

Confirmed SHA-256 (ZingDoor):

071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6

Draculoader

Draculoader is a generic shellcode loader used to deliver Crowdoor and HemiGate second-stage payloads. Shared across Earth Estries and Earth Naga, its presence alongside UAT-8302 tooling provides independent corroboration of the cross-cluster tool-sharing model described in Talos’ report.

Confirmed SHA-256:

843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c

UAT-8302 IOCs and TTPs: MITRE ATT&CK Mapping

The following table maps observed UAT-8302 activity to MITRE ATT&CK techniques. MITRE ATT&CK (a globally recognised taxonomy of adversary tactics, techniques, and procedures maintained by the MITRE Corporation) is the standard framework for describing how threat actors operate.

| Phase | Technique | ATT&CK ID | |——-|———–|———–| | Initial Access | Exploit Public-Facing Application | T1190 | | Discovery | System Information Discovery | T1082 | | Discovery | System Network Configuration Discovery | T1016 | | Discovery | Remote System Discovery | T1018 | | Discovery | Network Share Discovery | T1135 | | Discovery | Active Directory Enumeration | T1087 | | Discovery | Cloud Infrastructure Enumeration | T1580 | | Discovery | Network Sniffing | T1040 | | Credential Access | Credentials from Password Managers (MobaXterm) | T1555 | | Credential Access | Forced Authentication | T1187 | | Credential Access | Azure AD Connect Credential Extraction | T1552 | | Lateral Movement | Lateral Tool Transfer (SMB/WMI) | T1570 | | Lateral Movement | Remote Services via schtasks and wmic | T1021 | | Persistence | Scheduled Task/Job | T1053 | | Persistence | Boot/Logon Autostart — Registry Run Keys | T1547.001 | | Persistence | BITS Jobs | T1197 | | Execution | DLL Side-Loading | T1574.002 | | C2 | Web Service (MS Graph API / GitHub / GameSpot) | T1102 | | C2 | Process Injection | T1055 |

Active Directory reconnaissance commands observed in UAT-8302 intrusions:

Get-ADUser -Filter * -Property *
Get-ADComputer -Filter * -Property Name,DNSHostName,OperatingSystem
Get-ADGroup -Filter * -Properties Members
Get-WinEvent -FilterHashtable @{ LogName = 'Security'; ID = 4768 }
auditpol /get /category:*

Lateral movement via WMI (Windows Management Instrumentation) and scheduled tasks:

wmic /node:<TARGET_IP> process call create "<COMMAND>"
schtasks /S <TARGET_IP> /U <USERNAME> /P <PASSWORD> /CREATE /TN <TASK_NAME> /TR <COMMAND> /SC ONCE /ST 00:00

Post-compromise open-source tooling observed on UAT-8302-compromised hosts:

• gogo — GoLang network scanner (SHA-256: e74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5) for rapid internal subnet enumeration
• naabu, httpx, QScan, dddd — port scanning and HTTP probing utilities
• Stowaway — multi-hop proxy for C2 traffic tunnelling through compromised hosts (SHA-256: 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001)
• SoftEther VPN — commercial VPN software abused for persistent remote access (SHA-256: 3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e)
• Impacket — Python framework for SMB and MSRPC exploitation and lateral movement
• MobaXtermDecryptor — extracts saved SSH credentials from MobaXterm session files (T1555)
• adconnectdump.py — extracts credential material from Azure AD Connect services (T1552)
• SharpGetUserLogin — .NET tool for enumerating logged-in user sessions (SHA-256: 9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb)

Indicators of Compromise

File Hashes (SHA-256)

| Hash | Malware / Tool | |——|—————-| | 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca | NetDraft / FringePorch | | ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b | NetDraft / FringePorch | | 51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2 | NetDraft / FringePorch | | 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b | VSHELL | | 199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab | VSHELL | | 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 | ZingDoor | | 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001 | Stowaway (proxy) | | f859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea | Stowaway (proxy) | | 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c | Draculoader | | e74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5 | gogo (scanner) | | 2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3 | gogo (scanner variant) | | 7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292 | anyproxy | | 3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e | SoftEther VPN | | 9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb | SharpGetUserLogin | | b19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404 | SharpGetUserLogin (variant) | | 1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38 | QScan | | 4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab | httpx | | 343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc | dddd | | 45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f | naabu | | fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00 | PortQry |

C2 Domains

drivelivelime[.]com
msiidentity[.]com
trafficmanagerupdate[.]com
update-kaspersky[.]workers[.]dev
image[.]update-kaspersky[.]workers[.]dev

Note: update-kaspersky[.]workers[.]dev is a Cloudflare Workers subdomain — a living-off-trusted-infrastructure (LOTI) technique where the attacker hosts C2 logic on a legitimate cloud platform to defeat IP-based blocking.

C2 IP Addresses and Active Ports

85[.]209[.]156[.]3      (ports: 56456, 46389, 8080, 8082)
185[.]238[.]189[.]41    (port: 8080)
103[.]27[.]108[.]55     (port: 48265)
38[.]54[.]32[.]244
45[.]140[.]168[.]62
88[.]151[.]195[.]133
156[.]238[.]224[.]82
45[.]135[.]135[.]100

Host Persistence Artifacts

Scheduled Task path:  Microsoft\Windows\Maps\{a086ff1e-d6dc-45f7-b3e4-6udknw82sa}
Side-loading loader:  mspdb60.dll  (CloudSorcerer delivery)
Side-loading loader:  wininet.dll  (VSHELL delivery)
Lure executables:     Yandex.exe, VMtools.exe
Injection targets:    dpapimig.exe, spoolsv.exe, mspaint.exe

YARA Detection Rules

Cisco Talos has published 33 ClamAV signatures for UAT-8302 malware families — including Win.Loader.CloudSorcerer, Win.Malware.Netdraft, and associated loaders — and Snort/Suricata network detection SIDs 66040–66055 and 301433–301437.

The following YARA rules (a pattern-matching language used by antivirus engines and threat hunting tools to identify malware by its code or string content) are derived from the technical indicators in the Cisco Talos report:

NetDraft / NosyDoor persistence artifact and embedded library:

rule NetDraft_NosyDoor_Persistence {
    meta:
        description = "Detects NetDraft/NosyDoor scheduled task artifact and FringePorch Costura embedding"
        author      = "CiphersSecurity — based on Cisco Talos UAT-8302 report"
        reference   = "https://blog.talosintelligence.com/uat-8302/"
        date        = "2026-05-06"

    strings:
        $task_guid   = "a086ff1e-d6dc-45f7-b3e4-6udknw82sa" ascii wide
        $task_path   = "Microsoft\\Windows\\Maps\\" ascii wide
        $costura     = "Costura.FodyVersion" ascii
        $fringeporch = "FringePorch" ascii wide
        $graph_api   = "graph.microsoft.com" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        (
            ( $task_guid and $task_path ) or
            ( $costura and $fringeporch ) or
            ( $fringeporch and $graph_api )
        )
}

SNOWLIGHT / SNOWRUST stager — XOR key and LexiCrypt pattern:

rule SNOWLIGHT_SNOWRUST_Stager {
    meta:
        description = "Detects SNOWLIGHT/SNOWRUST based on XOR-0x99 payload pattern and LexiCrypt obfuscator"
        author      = "CiphersSecurity — based on Cisco Talos UAT-8302 report"
        reference   = "https://blog.talosintelligence.com/uat-8302/"
        date        = "2026-05-06"

    strings:
        $lexicrypt   = "LexiCrypt" ascii
        $rust_panic  = "panicked at" ascii      // Rust runtime string present in SNOWRUST
        $vshell_str  = "VShell" ascii wide nocase
        $xor_stub    = { 80 30 99 48 FF C0 }    // XOR byte 0x99 loop stub pattern

    condition:
        ( $lexicrypt and $rust_panic ) or
        ( $vshell_str and $xor_stub )
}

CloudSorcerer v3 — side-loading DLL and injection targets:

rule CloudSorcerer_v3_SideLoader {
    meta:
        description = "Detects CloudSorcerer v3 loader via mspdb60.dll side-loading and known injection targets"
        author      = "CiphersSecurity — based on Cisco Talos UAT-8302 report"
        reference   = "https://blog.talosintelligence.com/uat-8302/"
        date        = "2026-05-06"

    strings:
        $loader_dll   = "mspdb60.dll" ascii wide
        $inj_target1  = "dpapimig.exe" ascii wide
        $inj_target2  = "spoolsv.exe" ascii wide
        $inj_target3  = "mspaint.exe" ascii wide
        $lure1        = "Yandex.exe" ascii wide
        $lure2        = "VMtools.exe" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        $loader_dll and
        (
            1 of ( $inj_target* ) or
            1 of ( $lure1, $lure2 )
        )
}

SIEM Detection Queries

Splunk SPL — Hunt for NetDraft scheduled task persistence:

index=windows source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
EventCode=4698
| where like(TaskName, "%Maps%a086ff1e%")
| table _time, ComputerName, TaskName, SubjectUserName

Microsoft Sentinel KQL — Detect Graph API C2 from non-Microsoft processes:

DeviceNetworkEvents
| where RemoteUrl has "graph.microsoft.com"
    and InitiatingProcessFileName !in~ (
        "outlook.exe","teams.exe","onedrive.exe",
        "msedge.exe","chrome.exe","firefox.exe"
    )
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| order by Timestamp desc

Microsoft Sentinel KQL — Detect CloudSorcerer process injection into system processes:

DeviceProcessEvents
| where FileName in~ ("dpapimig.exe", "spoolsv.exe", "mspaint.exe")
    and InitiatingProcessFileName !in~ (
        "services.exe","svchost.exe","wininit.exe","lsass.exe"
    )
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Defensive Recommendations

• Alert on Graph API C2 channels: Deploy TLS inspection on outbound Microsoft 365 traffic and raise a high-priority alert when graph.microsoft.com API calls originate from processes other than legitimate Microsoft applications. NetDraft’s entire C2 channel runs over this API; network-layer blocking alone is insufficient.

• Hunt for the NetDraft scheduled task: Query all endpoints for scheduled tasks under \Microsoft\Windows\Maps\ that were not created by a Windows system process. The task GUID {a086ff1e-d6dc-45f7-b3e4-6udknw82sa} is a direct, confirmed indicator.

• Monitor for DLL side-loading triads: Alert when mspdb60.dll or wininet.dll appear in process working directories not associated with their legitimate parent products. DLL side-loading (T1574.002) is the universal delivery mechanism across all UAT-8302 malware families.

• Block or alert on post-exploitation tooling: Scan endpoints for gogo, naabu, dddd, httpx, Stowaway, and MobaXtermDecryptor binaries. These are dual-use tools with no legitimate purpose on government workstations or servers. Use the SHA-256 hashes in the IOC table above for file integrity checks.

• Ingest Talos Snort/Suricata rules immediately: Add SIDs 66040–66055 and 301433–301437 to your Snort or Suricata ruleset. These cover confirmed UAT-8302 C2 communication patterns at the network layer.

• Audit MobaXterm credential stores: UAT-8302 uses MobaXtermDecryptor (T1555 — Credentials from Password Managers) to extract saved SSH credentials. Enforce a policy that MobaXterm sessions are not saved with stored passwords on any administrative workstation.

• Harden Azure AD Connect servers: The adconnectdump.py technique (T1552) targets Azure AD Connect — the Microsoft service that synchronises on-premises Active Directory to Azure AD. An attacker who extracts Azure AD Connect credentials gains the ability to authenticate as any synced user, including privileged accounts. Isolate Azure AD Connect servers from general endpoint network access.

• Block confirmed C2 infrastructure: Add the following to your DNS blocklist and firewall deny-lists (defanging removed for direct import):
• drivelivelime.com
• msiidentity.com
• trafficmanagerupdate.com
• update-kaspersky.workers.dev
• image.update-kaspersky.workers.dev
• IPs: 85.209.156.3, 185.238.189.41, 103.27.108.55, 38.54.32.244, 45.140.168.62, 88.151.195.133, 156.238.224.82, 45.135.135.100

• Treat UAT-8302 IOCs as cross-cluster indicators: Any detection of DeedRAT/SNAPPYBEE, ZingDoor, or Draculoader — regardless of which attribution cluster the alert tool names — should trigger a UAT-8302 hunting playbook. The shared tooling means a hit on Earth Estries malware may be UAT-8302 activity and vice versa.

Conclusion

UAT-8302 is not a self-contained threat — it is a node in a China-nexus malware-sharing ecosystem that spans at least seven tracked threat clusters. Government security teams in South America and southeastern Europe should treat the IOCs, YARA rules, and SIEM queries above as immediate threat hunting priorities. Any positive detection on UAT-8302-linked tooling warrants a full incident response engagement: these implants are purpose-built for long-term persistent access, not opportunistic smash-and-grab operations. The cross-cluster detection model — where a single YARA rule covers UAT-8302, Earth Estries, and UNC5174 simultaneously — is the correct defensive posture for organisations operating in sectors targeted by Chinese state-sponsored espionage.

For further context on Chinese APT infrastructure and related campaigns, see our analysis of the Daemon Tools supply chain backdoor attributed to Chinese APT activity and the CISA advisory on China-nexus covert infrastructure networks.