A sophisticated advanced persistent threat (APT) group with links to China has been attributed to a series of cyberattacks targeting government entities in South America since late 2024 and government agencies in southeastern Europe in 2025. The unified campaign indicates a coordinated effort to infiltrate state networks across different continents using shared malicious tools.
The activity is being tracked by Cisco Talos under the moniker UAT-8302. According to the cybersecurity firm, the group’s operations involve post-exploitation activities that deploy custom-made malware families, some of which have been previously identified in other state-sponsored campaigns. This reuse of specific malware code suggests a common developer or shared operational resources among different threat actors.
Campaign Details and Scope
The attacks in South America began at some point in late 2024, targeting unspecified government institutions. The campaigns in southeastern Europe followed in 2025, indicating the group has expanded its geographic focus. Cisco Talos has not disclosed the specific names of the targeted countries or the extent of data compromised, but it confirmed the attacks are ongoing.
The initial infection vectors used by UAT-8302 were not detailed in public disclosures, though the group relies on sophisticated techniques to maintain persistence within compromised networks. The custom malware deployed includes backdoors and data exfiltration tools designed to evade detection by standard security software.
Malware and Infrastructure Connections
An analysis of the malware families used in these operations reveals overlaps with code previously linked to Chinese APT groups. These connections strengthen the attribution to a China-nexus actor, as the shared codebases indicate a common origin. The infrastructure used for command and control also shows consistent patterns across the South American and European campaigns.
The actions of UAT-8302 align with the broader objectives of state-sponsored espionage targeting government networks. The focus on governmental bodies suggests motives related to intelligence gathering, policy monitoring, or strategic advantage.
Industry Response and Mitigation
Cisco Talos has released indicators of compromise (IOCs) and detection rules to help organizations identify and block the malware associated with UAT-8302. The cybersecurity firm is advising government agencies worldwide to review their network logs for suspicious outbound connections and to update endpoint detection tools.
Security teams are recommended to prioritize patching known vulnerabilities, enforce multifactor authentication, and segment networks to limit lateral movement by attackers. The shared nature of the malware increases the risk for other regions, as the tools could be rapidly repurposed for new targets.
The disclosure of UAT-8302 is part of a broader trend of public reporting on Chinese state-linked cyber operations. Attribution remains a complex process, but the convergence of technical evidence, operational targets, and malware signatures provides a high degree of confidence in the assessment.
Looking ahead, cybersecurity experts expect UAT-8302 to continue its operations, potentially expanding to additional regions or sectors. Government agencies are urged to remain vigilant and to implement proactive threat hunting measures based on the released indicators. The geopolitical implications of such attacks are likely to fuel further diplomatic discussions on cyber norms and state responsibility in cyberspace.
Source: Cisco Talos
