UAT-8302 and Its Box Full of Malware

    Friday, May 8, 2026 In: Threat Research Print

    Date: 05/08/2026

    Severity: Medium

    Summary

    UAT-8302 is a sophisticated China-linked APT group targeting South American government entities since late 2024 and southeastern European agencies in 2025. After gaining access, the group deploys several custom malware families previously associated with other China-nexus threat actors. Researchers identified “NetDraft,” a .NET-based backdoor and C# variant of the FinalDraft/SquidDoor malware family linked to Jewelbug and related APT clusters. The group also leverages an updated version of the CloudSorcerer backdoor, previously used in attacks on Russian government organizations in 2024. Additionally, UAT-8302 employs VSHELL, the SNOWLIGHT stager, and a newly discovered Rust-based stager called SNOWRUST in its operations.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    https://www.drivelivelime.com

    https://www.drivelivelime.com/x

    https://www.drivelivelime.com/pw

    www.drivelivelime.com

    https://msiidentity.com

    https://msiidentity.com/pw

    msiidentity.com

    http://trafficmanagerupdate.com/index.php

    trafficmanagerupdate.com

    image.update-kaspersky.workers.dev

    update-kaspersky.workers.dev

    http://85.209.156.3:8080/wagent.exe

    http://85.209.156.3:8082/wagent.exe

    http://185.238.189.41:8080

    http://103.27.108.55:48265/

    http://38.54.32.244/Rar.exe

    IP Address : 

    85.209.156.3

    185.238.189.41

    103.27.108.55

    38.54.32.244

    45.140.168.62

    88.151.195.133

    156.238.224.82

    45.135.135.100

    Hash : 

    1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca

    Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b

    51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2

    35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b

    199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab

    071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6

    E74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5

    2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3

    7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001

    F859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea

    7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292

    1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38

    843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c

    343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc

    4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab

    3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e

    9f115e9b32111e4dc2w9343a2671ab10a2b38448657b24107766dc14ce528fceb

    B19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404

    45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f

    Fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://85.209.156.3:8082/wagent.exe" or url like "http://85.209.156.3:8082/wagent.exe" or siteurl like "http://85.209.156.3:8082/wagent.exe" or domainname like "update-kaspersky.workers.dev" or url like "update-kaspersky.workers.dev" or siteurl like "update-kaspersky.workers.dev" or domainname like "https://www.drivelivelime.com/x" or url like "https://www.drivelivelime.com/x" or siteurl like "https://www.drivelivelime.com/x" or domainname like "http://85.209.156.3:8080/wagent.exe" or url like "http://85.209.156.3:8080/wagent.exe" or siteurl like "http://85.209.156.3:8080/wagent.exe" or domainname like "http://185.238.189.41:8080" or url like "http://185.238.189.41:8080" or siteurl like "http://185.238.189.41:8080" or domainname like "https://www.drivelivelime.com" or url like "https://www.drivelivelime.com" or siteurl like "https://www.drivelivelime.com" or domainname like "image.update-kaspersky.workers.dev" or url like "image.update-kaspersky.workers.dev" or siteurl like "image.update-kaspersky.workers.dev" or domainname like "https://msiidentity.com/pw" or url like "https://msiidentity.com/pw" or siteurl like "https://msiidentity.com/pw" or domainname like "http://103.27.108.55:48265/" or url like "http://103.27.108.55:48265/" or siteurl like "http://103.27.108.55:48265/" or domainname like "https://www.drivelivelime.com/pw" or url like "https://www.drivelivelime.com/pw" or siteurl like "https://www.drivelivelime.com/pw" or domainname like "www.drivelivelime.com" or url like "www.drivelivelime.com" or siteurl like "www.drivelivelime.com" or domainname like "https://msiidentity.com" or url like "https://msiidentity.com" or siteurl like "https://msiidentity.com" or domainname like "msiidentity.com" or url like "msiidentity.com" or siteurl like "msiidentity.com" or domainname like "trafficmanagerupdate.com" or url like "trafficmanagerupdate.com" or siteurl like "trafficmanagerupdate.com" or domainname like "http://trafficmanagerupdate.com/index.php" or url like "http://trafficmanagerupdate.com/index.php" or siteurl like "http://trafficmanagerupdate.com/index.php" or domainname like "http://38.54.32.244/Rar.exe" or url like "http://38.54.32.244/Rar.exe" or siteurl like "http://38.54.32.244/Rar.exe"

    Detection Query 2 :

    dstipaddress IN ("45.140.168.62","185.238.189.41","156.238.224.82","38.54.32.244","103.27.108.55","85.209.156.3","45.135.135.100","88.151.195.133") or srcipaddress IN ("45.140.168.62","185.238.189.41","156.238.224.82","38.54.32.244","103.27.108.55","85.209.156.3","45.135.135.100","88.151.195.133")

    Detection Query 3 :

    sha256hash IN ("7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292","199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab","45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f","843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c","F859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea","1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38","3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e","E74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5","7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001","343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc","35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b","2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3","1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca","Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b","51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2","071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6","4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab","9f115e9b32111e4dc2w9343a2671ab10a2b38448657b24107766dc14ce528fceb","B19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404","Fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00")

    Reference:    

    https://blog.talosintelligence.com/uat-8302/          


    Tags

    MalwareThreat ActorAPTChinaSouth AmericaEuropeChina-NexusBackdoorSquidoorFinalDraftGovernment Services and FacilitiesVSHell

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.