A sophisticated China-linked advanced persistent threat (APT) group has been targeting government entities in South America since at least late 2024 and in Southeastern Europe since 2025, according to researchers.

Cisco Talos is calling the group UAT-8302 and said in a new blog post that the collective deploys multiple custom-made malware families that have previously been used by other known China-nexus threat actors.

One of the malware families is a .NET-based backdoor dubbed NetDraft, also known as NosyDoor.

That’s a C#-based variant of the FinalDraft/SquidDoor malware family developed and operated by Jewelbug/REF7707/CL-STA-0049/LongNosedGoblin, a cluster of China-nexus APT actors.

Another cybersecurity company, ESET, is tracking the use of NosyDoor to a group it calls LongNosedGoblin. Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai.

Furthermore, UAT-8302 also uses an updated version of the CloudSorcerer backdoor, a malware family used in attacks against Russian government entities in 2024, Cisco Talos said.

All these connections to several previously publicly disclosed threat clusters indicate a close operating relationship between them, the researchers additionally claim.

They assess with “high confidence” that UAT-8302 is a China-nexus APT group primarily tasked with obtaining and maintaining long-term access to government and related entities worldwide.

“Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware,” said Cisco Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White in a technical report.

So far, it's not known what initial access methods the group uses to break into target networks.

However, it’s suspected to involve the time-tested approach of weaponizing zero-day and N-day vulnerabilities. These are security flaws that have already been discovered, publicly disclosed, and patched – but still exploitable because many systems haven’t been updated.

China-linked threat actors have been more active lately. In April, cyber agencies from nine countries urged organizations to better defend against covert networks used by China-linked hackers to conceal malicious cyber activity, for example.

The networks reportedly target critical sectors globally, steal data, and maintain persistent access with attacks hard to detect because evidence disappears quickly.

---

Unlock more exclusive Cybernews content on YouTube.