ACCORDING to Cisco Talos, a sophisticated China-nexus APT group has been attributed with attacks against government entities in South America since at least late 2024 and against southeastern European government agencies in 2025, tracked under the moniker UAT-8302.
The operation deploys custom malware families, including a .NET backdoor called NetDraft (aka NosyDoor), a variant of FINALDRAFT, and other tools such as CloudSorcerer, SNOWLIGHT, Deed RAT, and Draculoader, to maintain access and move laterally after initial compromise. ESET attributes NosyDoor to a group it calls LongNosedGoblin, while Solar has linked the same malware to Erudite Mogwai (aka Space Pirates and Webworm) in Russian IT targets, naming a pair of aliases and a separate attribution thread.
The report notes that the attackers likely weaponise zero-day and N-day web application exploits for initial access, followed by reconnaissance with open-source tools like gogo, and culminate in the deployment of NetDraft, CloudSorcerer, and VShell; a Rust-based SNOWLIGHT variant dubbed SNOWRUST is used to fetch the VShell payload.
The findings highlight increasing collaboration between China-aligned groups, including the Premier Pass-as-a-Service model described by Trend Micro, where access can be passed from Earth Estries to Earth Naga for follow-on exploitation since at least late 2023.