Intelligence Center

What Happened

A highly skilled cyber espionage group known as UAT-8302 has been attacking government organizations in South America and Europe. The attackers use a large collection of custom malicious software and scanning tools to sneak into networks, map out the systems, and steal sensitive information. This is significant because it shows a coordinated effort by state-sponsored hackers sharing advanced tools to maintain long-term access to government networks. Organizations should immediately update their security monitoring to detect these specific tools and block the known malicious network addresses.

Key Takeaways

• UAT-8302 is a China-nexus APT targeting government entities in South America and Southeastern Europe.
• The group utilizes a vast arsenal of custom malware shared among other China-nexus clusters, including NetDraft, CloudSorcerer v3, and VSHELL.
• Initial access is followed by extensive reconnaissance using tools like Impacket, custom PowerShell scripts, and GoLang scanners like 'gogo'.
• Persistence and lateral movement are achieved via scheduled tasks, WMI, and proxy tools like Stowaway and anyproxy.
• Malware deployment heavily relies on DLL side-loading techniques using benign executables to load malicious payloads.

Affected Systems

• Windows
• Active Directory
• Azure AD Connect / Entra ID

Vulnerabilities (CVEs)

• CVE-2025-0994
• CVE-2023-46747

Attack Chain

UAT-8302 gains initial access and immediately conducts extensive network reconnaissance using native tools, custom PowerShell scripts, and GoLang scanners like 'gogo'. They extract credentials from Active Directory and local tools like MobaXterm, then move laterally using WMI and Impacket. The group deploys custom malware such as NetDraft, CloudSorcerer v3, and VSHELL via DLL side-loading to establish persistent C2 communication through legitimate services like MS Graph and GitHub. Finally, they set up proxy servers using tools like Stowaway and anyproxy to tunnel traffic and maintain long-term backdoor access.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ClamAV, Snort

The article provides a list of ClamAV signature names and Snort Rule IDs (SIDs) that can be used to detect and block the associated malware and network traffic.

Detection Engineering Assessment

EDR Visibility: High — The threat actor relies heavily on process creation (cmd.exe, powershell.exe), scheduled tasks, WMI for lateral movement, and DLL side-loading, all of which are highly visible to modern EDR solutions. Network Visibility: Medium — While custom proxy tools and scanning activity generate network noise, the use of legitimate services (MS Graph, GitHub, OneDrive) for C2 makes network-level detection of the actual command and control traffic challenging. Detection Difficulty: Moderate — Although the C2 traffic blends in with legitimate cloud services, the on-host behavior—such as extensive reconnaissance commands, Impacket-style execution patterns, and DLL side-loading—provides numerous high-fidelity detection opportunities.

Required Log Sources

• Event ID 4688 (Process Creation)
• Event ID 4698 (A scheduled task was created)
• Event ID 4104 (PowerShell Script Block Logging)
• Sysmon Event ID 7 (Image loaded)
• Sysmon Event ID 1 (Process creation)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for instances of cmd.exe executing wmic process call create targeting remote nodes, indicating potential lateral movement.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Lateral Movement	Low
Search for scheduled task creation events (schtasks.exe /create) referencing suspicious paths like C:\Windows\Temp\ or C:\ProgramData.	Scheduled Task Creation (Event ID 4698)	Persistence	Low
Identify PowerShell execution involving extensive Active Directory enumeration cmdlets (e.g., Get-ADUser, Get-ADComputer) run in rapid succession.	PowerShell Script Block Logging (Event ID 4104)	Discovery	Medium
Monitor for the execution of auditpol.exe querying logging configurations, which may indicate defense evasion reconnaissance.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Discovery	Low
Detect Impacket-style command execution patterns, specifically commands redirecting output to _box_\C$__output or similar temporary files.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Execution	Low

Control Gaps

• Lack of strict application control allowing execution from C:\Windows\Temp\ and C:\ProgramData\
• Insufficient monitoring of outbound traffic to legitimate cloud services (MS Graph, GitHub)

Key Behavioral Indicators

• Impacket execution artifacts (e.g., _box_\C$__output)
• DLL side-loading triads (benign executable + malicious DLL + encrypted payload file)
• Use of certutil.exe to download files or query certificate stores

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block the provided IP addresses and domains at the perimeter firewall.
• Deploy the provided ClamAV and Snort signatures to relevant security appliances.
• Search endpoint telemetry for the provided file hashes and file paths.

Infrastructure Hardening

• Implement strict application control policies to prevent execution from user-writable directories like C:\Windows\Temp\ and C:\ProgramData.
• Restrict outbound access to cloud storage and API services (e.g., MS Graph, GitHub) from servers that do not require it.
• Disable or restrict WMI and SMB access between workstations to limit lateral movement.

User Protection

• Ensure EDR is deployed and actively monitoring for suspicious process ancestry and scheduled task creation.
• Implement LAPS (Local Administrator Password Solution) to prevent lateral movement using local administrator credentials.

Security Awareness

• Train SOC analysts to recognize the signs of DLL side-loading and Impacket-style lateral movement.
• Educate administrators on the risks of storing credentials in tools like MobaXterm.

MITRE ATT&CK Mapping

• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1047 - Windows Management Instrumentation
• T1087.002 - Account Discovery: Domain Account
• T1018 - Remote System Discovery
• T1049 - System Network Connections Discovery
• T1003.003 - OS Credential Dumping: NTDS
• T1090 - Proxy
• T1102.002 - Web Service: Bidirectional Communication

Additional IOCs

• Ips:
  • 185[.]238[.]189[.]41 - Network IOC associated with UAT-8302 infrastructure.
  • 103[.]27[.]108[.]55 - Network IOC associated with UAT-8302 infrastructure.
  • 38[.]54[.]32[.]244 - IP address hosting SoftEther VPN client (Rar.exe).
  • 45[.]140[.]168[.]62 - Network IOC associated with UAT-8302 infrastructure.
  • 88[.]151[.]195[.]133 - Network IOC associated with UAT-8302 infrastructure.
  • 156[.]238[.]224[.]82 - Network IOC associated with UAT-8302 infrastructure.
  • 45[.]135[.]135[.]100 - Network IOC associated with UAT-8302 infrastructure.
• Domains:
  • msiidentity[.]com - Malicious domain used for command and control communications.
  • trafficmanagerupdate[.]com - Malicious domain used for command and control communications.
  • update-kaspersky[.]workers[.]dev - Malicious domain used for command and control communications.
• Urls:
  • hxxps://www[.]drivelivelime[.]com/x - C2 URL endpoint.
  • hxxps://www[.]drivelivelime[.]com/pw - C2 URL endpoint.
  • hxxps://msiidentity[.]com/pw - C2 URL endpoint.
  • hxxp://trafficmanagerupdate[.]com/index.php - C2 URL endpoint.
  • hxxp://85[.]209[.]156[.]3:8080/wagent.exe - URL used to download the Stowaway proxy agent.
  • hxxp://85[.]209[.]156[.]3:8082/wagent.exe - URL used to download the Stowaway proxy agent.
  • hxxp://185[.]238[.]189[.]41:8080 - C2 URL endpoint.
  • hxxp://103[.]27[.]108[.]55:48265/ - C2 URL endpoint.
  • hxxp://38[.]54[.]32[.]244/Rar.exe - URL used to download SoftEther VPN client.
• File Hashes:
  • Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b (SHA256) - NetDraft / FringePorch malware.
  • 51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2 (SHA256) - NetDraft / FringePorch malware.
  • 199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab (SHA256) - VSHELL malware.
  • 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 (SHA256) - ZingDoor malware.
  • E74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5 (SHA256) - Gogo network scanning tool.
  • 2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3 (SHA256) - Gogo network scanning tool.
  • 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001 (SHA256) - Stowaway proxy tool.
  • F859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea (SHA256) - Stowaway proxy tool.
  • 7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292 (SHA256) - anyproxy tool.
  • 1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38 (SHA256) - QScan tool.
  • 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c (SHA256) - Draculoader shellcode loader.
  • 343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc (SHA256) - Dddd scanning tool.
  • 4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab (SHA256) - Httpx scanning tool.
  • 3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e (SHA256) - SoftEther VPN client.
  • 9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb (SHA256) - SharpGetUserLogin tool.
  • B19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404 (SHA256) - SharpGetUserLogin tool.
  • 45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f (SHA256) - Naabu scanning tool.
  • Fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00 (SHA256) - PortQry scanning tool.
• File Paths:
  • C:\Windows\Temp\run.bat - Batch file used for execution via scheduled tasks.
  • C:\Windows\Temp\ping_scan.bat - Batch file used for network ping sweeps.
  • C:\Windows\Temp\run_scan.bat - Batch file used for network scanning.
  • C:\Windows\Temp\nbtscan.exe - Executable used for NetBIOS scanning.
  • C:\Windows\Temp\alive_hosts.txt - Output file for ping sweep results.
  • C:\Windows\Temp\portscan.txt - Output file for SMB port scanning results.
  • C:\ProgramData\Microsoft\Microsoft\Appunion.exe - Executable path used in scheduled task persistence for NetDraft.
  • C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\d3d8.dll - Path used for Draculoader deployment.
  • c:\windows\system32\wagent.exe - Path used for Stowaway proxy agent.
  • c:\users\public\any.exe - Path used for anyproxy tool.
  • C:\ProgramData\S.exe - Path used for SharpGetUserLoginIPRP tool.
  • c:\programdata\e1.bat - Batch file executed remotely via WMI.
• Command Lines:
  • Purpose: Create a scheduled task to execute a reconnaissance PowerShell script. | Tools: schtasks.exe, powershell.exe | Stage: Execution/Persistence
  • Purpose: Execute a batch file on a remote system using WMI. | Tools: cmd.exe, wmic.exe | Stage: Lateral Movement | wmic /node:IP process call create cmd.exe /c c:\programdata\e1.bat
  • Purpose: Create a scheduled task for NetDraft persistence. | Tools: schtasks.exe | Stage: Persistence
  • Purpose: Query Active Directory for user information. | Tools: powershell.exe | Stage: Discovery | Get-ADUser -Filter * -Property *
  • Purpose: Query system audit policies. | Tools: auditpol.exe | Stage: Discovery | auditpol /get /category:*
  • Purpose: Execute commands remotely using Impacket-style SMB/WMI execution. | Tools: cmd.exe | Stage: Execution | cmd.exe /Q /c echo whoami ^> \_box_\C$__output