China-Linked UAT-8302 Hits South America Governments with Shared APT Malware

Security researchers have linked a newly tracked China‑nexus threat cluster, designated UAT‑8302, to a wave of cyber‑espionage operations targeting government agencies in South America and, more recently, in other regions. The campaign, active since late 2024, leverages a blend of custom implants and widely shared APT malware to infiltrate diplomatic, legislative, and critical‑infrastructure networks.

UAT‑8302 employs a modular backdoor that shares code‑level similarities with known Chinese APT toolkits, including a variant of PlugX and a customized ShadowPad loader. The attackers gain initial access through spear‑phishing emails that deliver malicious Word documents, which then exploit a privilege‑escalation vulnerability to drop the shared malware onto affected hosts. Command‑and‑control (C2) communications are routed through compromised servers in Hong Kong and Singapore, allowing the group to rotate infrastructure quickly and avoid detection.

Affected organizations have reported data exfiltration of sensitive communications, internal policy documents, and authentication credentials. Incident response teams have identified consistent indicators of compromise (IoCs) such as specific MD5 hashes, malicious LNK files, and irregular DNS queries to a set of parked domains. Security teams are advised to block the identified C2 IP ranges, enforce multi‑factor authentication on privileged accounts, and apply the latest patches for the exploited vulnerabilities.

The emergence of UAT‑8302 underscores a broader trend of Chinese‑linked actors standardizing malware across disparate geographic targets, making attribution and defense more challenging. Ongoing threat‑intel sharing between public‑private partnerships and international CERTs is crucial to mitigate the group's persistent foothold in government environments.