← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
UAT-8302 and its box full of malware
WHITE UAT-8302 AlienVault 2026-05-05 Modified: 2026-05-05
50
IOCs
MEDIUM VOLUME
UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.
fringeporchnetdraftdraculoadersnowrustsnowlightzingdoorfinaldraftnosydoorvshelldeedratcloudsorcerersquiddoorsnappybee
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
NetDraft FringePorch CloudSorcerer VSHELL SNOWLIGHT SNOWRUST DeedRAT SNAPPYBEE ZingDoor Draculoader FinalDraft SquidDoor NosyDoor
Indicators of Compromise (50)
All IPv4 CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
IPv4 103.27.108.55 2026-05-05
CVE CVE-2025-0994 2026-05-05
CVE CVE-2025-20333 2026-05-05
CVE CVE-2025-20362 2026-05-05
FileHash-MD5 111e8abb4b8592172d597926f47f018c 2026-05-05
FileHash-MD5 3d00e34594dbaba266f301ca37246e06 2026-05-05
FileHash-MD5 4c71357de3c0b12094693ca6eff94cad 2026-05-05
FileHash-MD5 99911fce9e0d697c99421b81e8fe2a04 2026-05-05
FileHash-MD5 efc71bd23572eec985a6d1bbf61308fd 2026-05-05
FileHash-MD5 f694401d8e80bb0f672b1b30fd7b153a 2026-05-05
FileHash-SHA1 3ddd90b99ee7ac3ec39e1d22b67c257d273a0970 2026-05-05
FileHash-SHA1 738d4398e7d11427051093ba8a6f37e51470795c 2026-05-05
FileHash-SHA1 7b6e094d98eb3f695e5856db4d8d22e11898cec9 2026-05-05
FileHash-SHA1 a1c3520282c81afabdefa4834b96563edf95c3c7 2026-05-05
FileHash-SHA1 c46bac27b5ca151afabd22c5546f78ae2ae3a20d 2026-05-05
FileHash-SHA1 f1551d3e5d144eef4e70a29dd3dc52fb22459d1f 2026-05-05
FileHash-SHA256 071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6 2026-05-05
FileHash-SHA256 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca 2026-05-05
FileHash-SHA256 199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab 2026-05-05
FileHash-SHA256 1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38 2026-05-05
FileHash-SHA256 2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3 2026-05-05
FileHash-SHA256 343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc 2026-05-05
FileHash-SHA256 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b 2026-05-05
FileHash-SHA256 3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e 2026-05-05
FileHash-SHA256 4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab 2026-05-05
FileHash-SHA256 45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f 2026-05-05
FileHash-SHA256 51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2 2026-05-05
FileHash-SHA256 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001 2026-05-05
FileHash-SHA256 7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292 2026-05-05
FileHash-SHA256 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c 2026-05-05
FileHash-SHA256 9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb 2026-05-05
FileHash-SHA256 b19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404 2026-05-05
FileHash-SHA256 e74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5 2026-05-05
FileHash-SHA256 ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b 2026-05-05
FileHash-SHA256 f859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea 2026-05-05
FileHash-SHA256 fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00 2026-05-05
IPv4 156.238.224.82 2026-05-05
IPv4 185.238.189.41 2026-05-05
IPv4 38.54.32.244 2026-05-05
IPv4 45.135.135.100 2026-05-05
IPv4 45.140.168.62 2026-05-05
IPv4 85.209.156.3 2026-05-05
IPv4 88.151.195.133 2026-05-05
URL http://msiidentity.com/pw 2026-05-05
URL http://trafficmanagerupdate.com/index.php 2026-05-05
URL http://www.drivelivelime.com/pw 2026-05-05
URL http://www.drivelivelime.com/x 2026-05-05
domain msiidentity.com 2026-05-05
domain trafficmanagerupdate.com 2026-05-05
hostname www.drivelivelime.com 2026-05-05
References (1)
↗ https://blog.talosintelligence.com/uat-8302/