HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

China‑Nexus APT Group UAT‑8302 Deploys Multi‑Malware Campaign Against South American and European Government Entities

Cisco Talos reports that the China‑nexus APT group UAT‑8302 has been compromising government agencies in South America and southeastern Europe, deploying a suite of custom malware families to harvest credentials and exfiltrate data. The activity highlights a coordinated supply‑chain of malicious tools that can affect third‑party vendors and underscores the need for robust TPRM controls.

LiveThreat™ Intelligence · 📅 May 05, 2026· 📰 blog.talosintelligence.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
blog.talosintelligence.com

China‑Nexus APT Group UAT‑8302 Deploys Multi‑Malware Campaign Against South American and European Government Entities

What Happened – Cisco Talos identified a China‑nexus advanced persistent threat (APT) group, designated UAT‑8302, that has been compromising government agencies in South America since late 2024 and in southeastern Europe in 2025. After gaining footholds, the group installs a suite of custom malware families—including the .NET backdoor NetDraft, CloudSorcerer v3, VSHELL, SNOWLIGHT, the Rust stager SNOWRUST, SNAPPYBEE/DeedRAT, and ZingDoor—to harvest credentials, exfiltrate data, and move laterally.

Why It Matters for TPRM

  • The group leverages shared toolsets with other China‑nexus actors, indicating a coordinated supply‑chain of malicious code that can surface in third‑party software or services.
  • Government‑grade credentials and data can be leveraged to target downstream vendors, contractors, and supply‑chain partners.
  • The presence of a Rust‑based stager (SNOWRUST) shows the threat’s capability to bypass traditional detection heuristics, raising the bar for security controls.

Who Is Affected – Public sector agencies (national, regional, and local governments) in South America and southeastern Europe; any third‑party vendors or service providers that support those agencies.

Recommended Actions

  • Review any contracts or data flows with affected government entities for exposure to compromised credentials.
  • Validate that third‑party vendors enforce multi‑factor authentication, least‑privilege access, and continuous monitoring for anomalous .NET or Rust binaries.
  • Update detection rules to flag the listed malware families and associated tooling (Impacket, proxy utilities).

Technical Notes – Attack vector appears to be initial compromise via phishing or credential theft (exact method not disclosed). Post‑compromise tools include custom .NET backdoors (NetDraft), CloudSorcerer v3, VSHELL, SNOWLIGHT, SNOWRUST (Rust), SNAPPYBEE/DeedRAT, and ZingDoor. Data collected includes system information, user credentials, and network topology. Source: Cisco Talos – UAT‑8302 and its box full of malware

📰 Original Source
https://blog.talosintelligence.com/uat-8302/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →