China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

Cisco Talos has identified a China-linked APT group tracked as UAT-8302 conducting sustained attacks against government entities across South America and southeastern Europe. The campaign began in late 2024 in South America and expanded to southeastern European government agencies in 2025.

UAT-8302 deploys custom malware families during post-exploitation phases, establishing persistent footholds within targeted government networks. The group shares infrastructure and tactics with other known Chinese APT operations, indicating coordination within China's broader state-sponsored threat ecosystem.

The targeting pattern reflects strategic interest in geopolitical regions where China maintains economic or political leverage. South American governments represent critical infrastructure for Belt and Road Initiative projects and resource extraction agreements, while southeastern European nations sit at the intersection of EU expansion and Chinese investment in critical infrastructure including ports and energy systems.

Cisco Talos reports that UAT-8302 employs standard APT tradecraft including spear-phishing, credential harvesting, and lateral movement techniques. The custom malware variants suggest the group maintains dedicated development resources, typical of state-sponsored operations with sustained funding.

For targeted governments, the risk centers on intellectual property theft, espionage collection on diplomatic communications, and reconnaissance for supply chain compromise. The group's persistence indicates long-term collection objectives rather than opportunistic data theft.

Organizations in affected regions should implement network segmentation, enforce multi-factor authentication across government networks, and conduct forensic analysis for UAT-8302 indicators of compromise. Email security systems require urgent tuning to catch spear-phishing campaigns targeting government staff.

The attribution to Chinese state interests carries geopolitical weight, signaling escalating cyber operations targeting Latin American and European allies. Unlike criminal ransomware gangs, UAT-8302's focus on espionage means breached networks may remain compromised for months before detection, with adversaries extracting classified materials continuously