**Cisco Talos** is tracking the activity of this advanced persistent threat (APT) group, dubbed **UAT-8302**, which has been targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. Post-exploitation involves the deployment of custom-made malware families. ### NetDraft Backdoor and Shared Malware Arsenal A key component of UAT-8302's toolkit is a .NET-based backdoor known as **NetDraft** (aka NosyDoor). This malware, a C# variant of **FINALDRAFT** (aka Squidoor), has previously been associated with threat clusters like **Ink Dragon**, **CL-STA-0049**, **Earth Alux**, **Jewelbug**, and **REF7707**. **ESET** attributes the use of NosyDoor to a group it calls **LongNosedGoblin**. Interestingly, the same malware has also been deployed against Russian IT organizations by **Erudite Mogwai** (aka Space Pirates and Webworm), tracked by Russian cybersecurity company **Solar** as LuckyStrike Agent. ### Tools of the Trade Other tools utilized by UAT-8302 include: * **CloudSorcerer**: A backdoor observed in attacks targeting Russian entities since May 2024. * **SNOWLIGHT**: A **VShell** stager used by **UNC5174**, **UNC6586**, and **UAT-6382**. * **Deed RAT** (aka Snappybee): A successor of ShadowPad. * **Zingdoor**: Both Deed RAT and Zingdoor have been deployed by **Earth Estries** in late 2024. * **Draculoader**: A generic shellcode loader used to deliver Crowdoor and HemiGate.  ### Collaboration and Access-as-a-Service "Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least," **Talos** researchers stated. "Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports." The initial access methods employed by the adversary are currently unknown, but it's suspected they involve exploiting zero-day and N-day vulnerabilities in web applications. Once inside a network, the attackers conduct extensive reconnaissance, use open-source tools like `gogo` for automated scanning, and move laterally. This culminates in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell. UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download and execute the VShell payload. In addition to custom malware, the threat actor establishes alternative backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN. **Trend Micro** highlighted a "Premier Pass-as-a-Service" model, where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, potentially masking attribution efforts. This partnership is believed to have been active since at least late 2023. "Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases," **Trend Micro** explained. "Although the full extent of this model is not yet known… access is likely restricted to a small circle of threat actors."