UAT-8302 and the Malware Toolkit Behind Its Attacks

SOC Prime Team

UAT-8302 and the Malware Toolkit Behind Its Attacks

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Cisco Talos has linked a China-nexus APT group tracked as UAT-8302 to attacks against government organizations in South America since late 2024 and in southeastern Europe throughout 2025. The group deploys a broad malware toolkit that includes NetDraft, CloudSorcerer v3, VSHELL, SNOWLIGHT, SNOWRUST, and additional custom components. Its operations also rely on open-source tools such as Impacket, proxying utilities, and tailored scripts to support reconnaissance, credential theft, and lateral movement across victim environments.

Investigation

Talos documented the group’s malware delivery chain, its use of scheduled tasks for persistence, and its abuse of trusted services such as Microsoft Graph for command-and-control. Researchers also observed DLL sideloading loaders, reconnaissance commands, network scanning utilities, and infrastructure dedicated to payload delivery and remote access. The report further noted overlaps in tooling and tradecraft with other China-linked clusters, including Jewelbug, Earth Estries, and several UNC-tracked groups.

Mitigation

Organizations should patch the referenced vulnerabilities, including CVE-2025-0994, CVE-2025-20333, and CVE-2025-20362, and apply strict controls to Office 365 and OneDrive APIs that could be abused for command-and-control. Defenders should also block the known malicious domains and IP addresses, disable unnecessary services, and restrict remote execution tools such as Impacket and WMI wherever possible. Monitoring should focus on the identified scheduled task names and DLL sideloading patterns associated with the campaign.

Response

Security teams should alert on the listed indicators of compromise, isolate affected systems, and collect relevant logs and forensic artifacts for analysis. Credentials should be rotated promptly, and Active Directory should be reviewed carefully for signs of compromise or unauthorized access. Detection content should also be updated to cover the observed command lines and scheduled tasks, while defenders hunt for additional implants from the same malware families across the environment.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#cccccc classDef operator fill:#ff9900 %% Initial Access initial_access["Action – T1190 Exploit Public-Facing Application Description: Exploit a vulnerable internetu2011facing service to gain initial foothold."] class initial_access action vuln_app["Tool – Name: Cityworks (vulnerable) Description: Publicu2011facing application containing CVEu20112025u20110994."] class vuln_app tool %% Execution u2013 System Binary Proxy exec_proxy["Action – T1218.002 System Binary Proxy Execution Description: Abuse trusted system binaries to proxy execution of malicious code."] class exec_proxy action control_panel["Tool – Name: Control Panel Description: Legitimate binary used as proxy."] class control_panel tool %% Execution u2013 Trusted Developer Utilities Proxy (MSBuild) exec_msbuild["Action – T1127.001 Trusted Developer Utilities Proxy Execution Description: Use MSBuild to load malicious DLLs via sideu2011loading."] class exec_msbuild action msbuild["Tool – Name: MSBuild Description: Microsoft build engine used to execute project files."] class msbuild tool %% Execution u2013 Shared Modules (DLL Sideu2011Loading) exec_shared["Action – T1129 Shared Modules Description: Load malicious DLLs by placing them next to benign executables."] class exec_shared action yandex_exe["Tool – Name: Yandex.exe Description: Legitimate executable used as dropper."] class yandex_exe tool vmtools_exe["Tool – Name: VMtools.exe Description: VMware tools binary leveraged for sideu2011loading."] class vmtools_exe tool malware_nedraft["Malware – Name: NetDraft"] class malware_nedraft malware malware_cloudsorcerer["Malware – Name: CloudSorcerer"] class malware_cloudsorcerer malware malware_vshell["Malware – Name: VSHELL"] class malware_vshell malware %% Persistence u2013 Scheduled Task persistence_task["Action – T1053 Scheduled Task/Job Description: Create scheduled tasks to run malicious binaries persistently."] class persistence_task action scheduled_task["Tool – Name: Microsoft\Maps\{…} Description: Scheduled task used for persistence."] class scheduled_task tool %% Defense Evasion u2013 Exploitation for Evasion defev_evasion["Action – T1211 Exploitation for Defense Evasion Description: Leverage vulnerabilities to bypass security controls."] class defev_evasion action %% Defense Evasion u2013 Subvert Trust Controls (Code Signing) defev_signing["Action – T1553.006 Subvert Trust Controls Description: Modify code signing policies to trust malicious binaries."] class defev_signing action %% Defense Evasion u2013 Preu2011OS Boot (ROMMONkit) defev_rommon["Action – T1542.004 Preu2011OS Boot: ROMMONkit Description: Install malicious driver during firmware boot."] class defev_rommon action rommon_driver["Tool – Name: Hades HIPS driver"] class rommon_driver tool %% Discovery u2013 Account and Group discovery_account["Action – T1087.002 Account Discovery: Domain Account Description: Enumerate domain user accounts."] class discovery_account action discovery_groups["Action – T1069.002 Permission Groups Discovery: Domain Groups Description: Enumerate domain groups."] class discovery_groups action %% Discovery u2013 Network discovery_netconn["Action – T1049 System Network Connections Discovery Description: Identify active network connections."] class discovery_netconn action discovery_remotes["Action – T1018 Remote System Discovery Description: Find remote systems on the network."] class discovery_remotes action discovery_scanning["Action – T1595.001 Active Scanning: Scanning IP Blocks Description: Scan IP ranges for live hosts."] class discovery_scanning action discovery_netconfig["Action – T1016.001 System Network Configuration Discovery: Internet Connection Discovery Description: Gather network configuration details."] class discovery_netconfig action discovery_cloud["Action – T1526 Cloud Service Discovery Description: Identify cloud service usage."] class discovery_cloud action discovery_cfg_repo["Action – T1602 Data from Configuration Repository Description: Dump network device configuration via SNMP MIB."] class discovery_cfg_repo action %% Lateral Movement u2013 Exploitation of Remote Services lateral_wmi["Action – T1210 Exploitation of Remote Services Description: Use WMI or SMB to execute code on remote hosts."] class lateral_wmi action lateral_smb["Action – T1021.002 Remote Services: SMB/Windows Admin Shares Description: Access admin shares for lateral movement."] class lateral_smb action lateral_transfer["Action – T1570 Lateral Tool Transfer Description: Transfer tools to remote systems."] class lateral_transfer action lateral_taint["Action – T1080 Taint Shared Content Description: Poison shared files to spread malware."] class lateral_taint action lateral_cloud["Action – T1021.007 Remote Services: Cloud Services Description: Use OneDrive or GitHub for lateral movement."] class lateral_cloud action lateral_rats["Action – T1219 Remote Access Tools Description: Deploy tools such as gogo, httpx, SNOWRUST."] class lateral_rats action tool_gogo["Tool – Name: gogo"] class tool_gogo tool tool_httpx["Tool – Name: httpx"] class tool_httpx tool tool_snowrust["Tool – Name: SNOWRUST"] class tool_snowrust tool %% Privilege Escalation u2013 Account Manipulation priv_esc["Action – T1098.007 Account Manipulation: Additional Local or Domain Groups Description: Add compromised accounts to privileged groups."] class priv_esc action %% Command and Control u2013 Proxy (multiu2011hop) c2_proxy["Action – T1090 Proxy Description: Route traffic through internal, external and multiu2011hop proxies."] class c2_proxy action c2_proxy_int["Tool – Name: Internal Proxy"] class c2_proxy_int tool c2_proxy_ext["Tool – Name: External Proxy"] class c2_proxy_ext tool %% Command and Control u2013 Protocol Tunneling c2_tunnel["Action – T1572 Protocol Tunneling Description: Encapsulate C2 traffic inside allowed protocols."] class c2_tunnel action %% Command and Control u2013 Cloud API c2_cloudapi["Action – T1059.009 Command and Scripting Interpreter: Cloud API Description: Use OneDrive, GitHub, GameSpot APIs for C2."] class c2_cloudapi action c2_onedrive["Tool – Name: OneDrive"] class c2_onedrive tool c2_github["Tool – Name: GitHub"] class c2_github tool c2_gamespot["Tool – Name: GameSpot"] class c2_gamespot tool %% Command and Control u2013 Web Protocols c2_web["Action – T1071.001 Application Layer Protocol: Web Protocols Description: Communicate over HTTP/HTTPS."] class c2_web action %% Command and Control u2013 Multiu2011Stage Channels c2_multi["Action – T1104 Multiu2011Stage Channels Description: Chain multiple C2 channels for resilience."] class c2_multi action %% Exfiltration u2013 Over Web Service exfil_web["Action – T1567.002 Exfiltration Over Web Service Description: Upload stolen data to cloud storage services."] class exfil_web action %% Connections u2013 Attack Flow initial_access –>|exploits| vuln_app vuln_app –>|enables| exec_proxy exec_proxy –>|uses| control_panel exec_proxy –>|leads_to| exec_msbuild exec_msbuild –>|uses| msbuild exec_msbuild –>|facilitates| exec_shared exec_shared –>|leverages| yandex_exe exec_shared –>|leverages| vmtools_exe exec_shared –>|loads| malware_nedraft exec_shared –>|loads| malware_cloudsorcerer exec_shared –>|loads| malware_vshell exec_shared –>|creates| persistence_task persistence_task –>|creates| scheduled_task scheduled_task –>|maintains| defev_evasion defev_evasion –>|includes| defev_signing defev_signing –>|modifies| rommon_driver defev_evasion –>|includes| defev_rommon defev_rommon –>|installs| rommon_driver %% Discovery Flow scheduled_task –>|gathers| discovery_account scheduled_task –>|gathers| discovery_groups scheduled_task –>|gathers| discovery_netconn scheduled_task –>|gathers| discovery_remotes scheduled_task –>|gathers| discovery_scanning scheduled_task –>|gathers| discovery_netconfig scheduled_task –>|gathers| discovery_cloud scheduled_task –>|gathers| discovery_cfg_repo %% Lateral Movement Flow discovery_remotes –>|enables| lateral_wmi lateral_wmi –>|uses| lateral_smb lateral_smb –>|transfers| lateral_transfer lateral_transfer –>|moves| lateral_cloud lateral_cloud –>|uses| c2_onedrive lateral_cloud –>|uses| c2_github lateral_cloud –>|uses| c2_gamespot lateral_wmi –>|executes| lateral_rats lateral_rats –>|uses| tool_gogo lateral_rats –>|uses| tool_httpx lateral_rats –>|uses| tool_snowrust %% Privilege Escalation Flow discovery_groups –>|supports| priv_esc %% Command and Control Flow priv_esc –>|reports to| c2_proxy c2_proxy –>|routes through| c2_proxy_int c2_proxy –>|routes through| c2_proxy_ext c2_proxy –>|uses| c2_tunnel c2_tunnel –>|establishes| c2_cloudapi c2_cloudapi –>|communicates via| c2_onedrive c2_cloudapi –>|communicates via| c2_github c2_cloudapi –>|communicates via| c2_gamespot c2_cloudapi –>|uses| c2_web c2_web –>|enables| c2_multi c2_multi –>|delivers| exfil_web %% Styling class initial_access,exec_proxy,exec_msbuild,exec_shared,persistence_task,defev_evasion,defev_signing,defev_rommon,discovery_account,discovery_groups,discovery_netconn,discovery_remotes,discovery_scanning,discovery_netconfig,discovery_cloud,discovery_cfg_repo,lateral_wmi,lateral_smb,lateral_transfer,lateral_taint,lateral_cloud,lateral_rats,priv_esc,c2_proxy,c2_tunnel,c2_cloudapi,c2_web,c2_multi,exfil_web action class vuln_app,control_panel,msbuild,yandex_exe,vmtools_exe,malware_nedraft,malware_cloudsorcerer,malware_vshell,scheduled_task,rommon_driver,tool_gogo,tool_httpx,tool_snowrust,tool_gogo,tool_httpx,tool_snowrust,c2_proxy_int,c2_proxy_ext,c2_onedrive,c2_github,c2_gamespot tool class rommon_driver malware "

UAT-8302 and the Malware Toolkit Behind Its Attacks

Summary

Investigation

Mitigation

Response

Attack Flow

Detections

Suspicious CURL Usage (via cmdline)

Possible Cloudflare Development Domain Abuse (via dns)

Possible Impacket Command Line Patterns (via cmdline)

Possible Usage of Sysinternals Tools (via cmdline)

Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)

Possible System Enumeration (via cmdline)

Possible Remote System Discovery or Connectivity Check (via cmdline)

Possible Admin Account or Group Enumeration (via cmdline)

Suspicious Domain Trusts Discovery (via cmdline)

Possible System Network Configuration Discovery (via cmdline)

Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)

LOLBAS wmic (via cmdline)

Using Certutil for Data Encoding and Cert Operations (via cmdline)

Suspicious Execution from Public User Profile (via process_creation)

Possible Data Collection [7zip] (via cmdline)

Suspicious Files in Public User Profile (via file_event)

Suspicious File Download Direct IP (via proxy)

IOCs (HashSha256) to detect: UAT-8302 and its box full of malware

IOCs (SourceIP) to detect: UAT-8302 and its box full of malware

IOCs (DestinationIP) to detect: UAT-8302 and its box full of malware

Scheduled Task and WMIC Process Creation by UAT-8302 [Windows Process Creation]

Detect UAT-8302 PowerShell Reconnaissance Activity [Windows Powershell]

Simulation Execution