A sophisticated China-linked cyber espionage group has been targeting government organizations in South America and Southeastern Europe using a growing collection of custom malware and stealth-focused intrusion techniques, according to new research from Cisco Talos.
The threat cluster, tracked as UAT-8302, has reportedly been active in South America since at least late 2024 and expanded operations into parts of Europe during 2025. Researchers say the campaign reflects increasing coordination between multiple China-aligned threat groups and malware ecosystems.
Cisco Talos researchers observed the attackers deploying several malware families previously associated with known Chinese advanced persistent threat operations. Among them is NetDraft, also referred to as NosyDoor, a .NET-based backdoor designed to provide persistent remote access inside compromised environments.
The malware is linked to a broader malware family known as FinalDraft or SquidDoor, which has previously been tied to China-nexus threat actors tracked under names including Jewelbug, REF7707, CL-STA-0049, and LongNosedGoblin.
Researchers also identified an updated variant of the CloudSorcerer backdoor, another espionage-focused malware strain previously observed in attacks against Russian government entities in 2024. The reuse of tooling across campaigns suggests operational overlap or collaboration between multiple Chinese cyber espionage clusters.
According to Talos, the attackers focused primarily on government institutions, though researchers did not publicly identify the affected countries or agencies. The campaign appears centered on long-term intelligence collection rather than financially motivated cybercrime.
The operation reflects a broader trend in Chinese state-linked cyber activity. Security researchers and intelligence agencies have repeatedly warned that China-aligned threat actors are expanding espionage campaigns globally, increasingly targeting government agencies, telecommunications infrastructure, defense contractors, and critical infrastructure operators.
Unlike ransomware groups that prioritize disruption and extortion, advanced persistent threat groups generally focus on stealth and persistence. These operations are often designed to remain undetected inside networks for extended periods while collecting sensitive communications, credentials, strategic intelligence, or geopolitical information.
Cisco Talos noted that UAT-8302 uses custom-built malware combined with evolving tactics to avoid detection. The attackers reportedly rely on modular tooling capable of adapting to different environments and operational requirements.
Researchers also pointed to infrastructure and malware similarities linking the campaign to several previously documented Chinese espionage groups. This type of overlap is common in state-linked cyber operations, where malware families, infrastructure components, and operational techniques are often shared between related teams.
The targeting of South American government entities is particularly notable because much public reporting around Chinese cyber espionage has historically focused on North America, Europe, and the Asia-Pacific regions. Analysts say the activity suggests expanding geopolitical intelligence priorities and broader international collection efforts.
At the same time, Southeastern Europe has become an increasingly active region for cyber espionage operations involving multiple state-linked actors. Governments in the region often occupy strategic positions in relation to NATO, European Union policy, telecommunications infrastructure, and regional political developments.
The campaign also highlights how Chinese cyber operations continue evolving technically. Recent reports have documented Chinese threat groups using cloud services, hijacked consumer devices, stealth-focused botnets, and supply chain compromises to reduce detection risks and maintain long-term access to targets.
Security researchers warn that modern espionage campaigns are increasingly difficult to detect because attackers rely heavily on legitimate tools, encrypted communications, and trusted cloud infrastructure. In many cases, organizations may remain compromised for months before activity is identified.
The emergence of UAT-8302 adds to a growing list of China-linked advanced persistent threat groups active worldwide, including Volt Typhoon, Hafnium, and APT41, all of which have previously been connected to espionage campaigns targeting governments and critical sectors.
Cisco Talos researchers said the operation remains active, with ongoing monitoring focused on identifying additional victims, infrastructure, and malware variants associated with the campaign.