What is UAT-8302 and what malware does it use?

UAT-8302 is a newly tracked China-nexus advanced persistent threat group identified by Cisco Talos. It deploys NetDraft, CloudSorcerer variants, and VSHELL against government targets in South America and Europe, using DLL side-loading and cloud-based command and control channels.

Why did Cisco acquire Astrix Security?

Cisco acquired Astrix Security to address non-human identity (NHI) risks — service accounts, API keys, OAuth tokens, and machine-to-machine credentials that outnumber human identities in most enterprises and represent a growing attack surface in cloud and AI/ML environments.

Why did DigiCert revoke TLS certificates in May 2026?

DigiCert revoked certificates after attackers compromised its support portal through social engineering via a chat channel and delivered a malicious screensaver file for persistence. Organizations relying on certificate pinning or hardcoded DigiCert roots may experience service disruption.

How does the CloudZ RAT Pheno plugin bypass MFA?

The Pheno plugin for CloudZ RAT hijacks active Microsoft Phone Link sessions on Windows workstations to intercept SMS-based one-time passwords without deploying malware on the mobile device. It reads mirrored SMS messages directly from the endpoint.

Is there a new MOVEit vulnerability in 2026?

Yes. Progress disclosed a critical authentication bypass flaw in MOVEit Automation in May 2026. No CVE ID has been assigned yet, but patches are available. Given Cl0p's mass exploitation of MOVEit Transfer in 2023, immediate patching is strongly recommended.

UAT-8302 China-Nexus APT Exposed — Cisco Acquires Astrix — DigiCert Certificate Revocation

Cisco Talos published a full technical teardown of UAT-8302 this morning — a China-nexus APT deploying NetDraft, CloudSorcerer, and VSHELL against government targets across two continents. That alone would fill the brief, but the day also brings a Cisco acquisition that redefines identity security conversations, a certificate authority breach with operational fallout, and a novel MFA bypass technique that works without touching the phone.

In the News

Cisco Talos Unmasks UAT-8302: China-Nexus APT Targeting Government Entities with NetDraft, CloudSorcerer, and VSHELL

Cisco Talos released detailed research on UAT-8302, a previously untracked China-nexus advanced persistent threat group conducting espionage operations against government entities in South America and Europe. The group’s toolkit overlaps with known Chinese threat actor infrastructure — deploying variants of CloudSorcerer (documented in prior campaigns by other Chinese APT clusters), the VSHELL backdoor, and a newly identified malware family Talos has designated NetDraft.

The attack chain follows a pattern consistent with Chinese APT tradecraft: DLL side-loading for initial execution, living-off-the-land binaries for privilege escalation and persistence, and cloud-based command and control channels that blend into legitimate traffic. The infrastructure reuse across multiple Chinese threat groups suggests either shared tooling repositories or coordinated operational support — a pattern Talos and other threat intelligence teams have tracked for several years across the broader China-nexus ecosystem.

What makes UAT-8302 operationally significant is the combination of targets (government diplomatic and administrative entities), geography (South America and Europe — not the typical East Asian focus), and the use of VSHELL, which provides full remote access with modular plugin support. The cloud-based C2 architecture makes network-level detection more difficult than traditional IP-based IOC blocking.

What defenders should do: Ingest the Talos IOCs into threat intelligence platforms immediately. Focus detection on DLL side-loading techniques (MITRE ATT&CK T1574.002) and anomalous outbound traffic to cloud services from systems that do not normally generate it. Government-sector organizations in the affected regions should conduct targeted threat hunts for VSHELL indicators and CloudSorcerer variants.

Cisco Acquires Astrix Security to Secure Non-Human Identities

Cisco announced its acquisition of Astrix Security, a company specializing in the discovery, posture assessment, and lifecycle management of non-human identities (NHIs) — service accounts, API keys, OAuth tokens, bot credentials, and machine-to-machine authentication secrets.

The timing is not accidental. In most enterprise environments, non-human identities outnumber human users by a factor of 40 to 50. These identities authenticate workloads, connect SaaS integrations, authorize CI/CD pipelines, and power AI/ML inference chains. They are also, overwhelmingly, ungoverned: created ad hoc, granted excessive permissions, never rotated, and invisible to the identity governance platforms designed for human user lifecycles. When attackers compromise a service account with persistent OAuth tokens, there is no MFA prompt, no conditional access check, and often no alert.

The Astrix acquisition positions Cisco to extend its identity security portfolio (currently anchored by Duo for human authentication) into the NHI domain. Expect NHI discovery and risk assessment to become integrated into zero-trust and Secure Service Edge (SSE) architectures across the industry — competitors will follow with their own acquisitions or feature development within 12 months.

What defenders should do: Begin inventorying non-human identities in your environment. Identify service accounts with persistent tokens, API keys that have never been rotated, and OAuth grants with excessive scopes. This is the pre-work that any NHI governance tool — from Cisco or anyone else — will require on day one.

DigiCert Revokes Certificates After Support Portal Compromise

DigiCert confirmed the revocation of TLS certificates following a breach of its customer support portal. The initial access vector was social engineering through a support chat channel, followed by delivery of a malicious screensaver file (.scr) that established persistent access to the portal environment.

The operational impact extends beyond DigiCert itself. Any organization running certificate pinning configurations that reference now-revoked DigiCert-issued certificates will experience connection failures. Hardcoded certificate references in embedded systems, IoT devices, and legacy applications are particularly vulnerable to breakage during mass revocation events because they lack automated rotation mechanisms.

This incident is a textbook demonstration of why certificate lifecycle automation matters. Organizations that rely on manual tracking of certificate expiry and validity — spreadsheets, calendar reminders, or institutional memory — discover during events like this that they do not actually know where all their DigiCert-issued certificates are deployed.

What defenders should do: Conduct an immediate inventory of DigiCert-issued certificates across your environment. Verify whether any revoked certificates are in active use. Implement automated certificate discovery and lifecycle management if you have not already. Review PKI redundancy — relying on a single certificate authority without a tested failover process is a single point of failure.

CloudZ RAT Pheno Plugin Steals OTPs via Microsoft Phone Link

Cisco Talos documented a new plugin for the CloudZ remote access trojan that hijacks active Microsoft Phone Link sessions on Windows workstations to intercept SMS-based one-time passwords. The technique operates entirely from the compromised endpoint — no malware is deployed to the mobile device. The Pheno plugin reads mirrored SMS messages through the Phone Link application, extracting MFA codes as they arrive.

This is a meaningful escalation in MFA bypass techniques. Previous approaches to intercepting SMS OTPs required SIM swapping, SS7 exploitation, or mobile malware. The Pheno plugin bypasses all of those requirements by targeting the Windows side of the Phone Link pairing. If the workstation is compromised and Phone Link is active, the attacker receives the OTP before the user does.

What defenders should do: This technique reinforces that SMS-based MFA is not phishing-resistant. Organizations should migrate to FIDO2 security keys or certificate-based authentication. In the near term, evaluate whether Microsoft Phone Link should be permitted on managed endpoints — particularly those used for privileged access. Endpoint detection and response platforms should be configured to detect CloudZ RAT indicators published in the Talos research.

Today’s Deep Dive — Non-Human Identity: The Attack Surface No One Governs

The Astrix acquisition is worth more than a vendor news bullet because it points to an operational gap most organizations have not addressed: non-human identity sprawl.

A non-human identity (NHI) is any credential or authentication token used by software rather than a person. Service accounts in Active Directory. OAuth tokens connecting SaaS applications. API keys authorizing CI/CD pipeline deployments. Bot accounts running automation playbooks. Machine-to-machine TLS certificates authenticating microservices. In aggregate, these identities represent the majority of authentication events in a modern enterprise — and the majority of ungoverned access.

The risk is structural. Human identity governance has mature tooling: MFA enforcement, conditional access policies, access reviews, just-in-time provisioning. Non-human identities bypass most of these controls by design. A service account does not respond to an MFA prompt. An API key does not have a manager who approves quarterly access reviews. An OAuth token granted two years ago during a proof-of-concept integration does not expire unless someone configures it to.

Attackers have noticed. The Midnight Blizzard attack against Microsoft in early 2024 leveraged an OAuth application with excessive permissions. The Codecov breach in 2021 exploited a CI/CD credential. SolarWinds involved compromise of build-system service accounts. In each case, the initial access or lateral movement relied on a non-human credential that was overprivileged, unmonitored, or both.

MITRE ATT&CK maps several relevant techniques: T1078.004 (Valid Accounts: Cloud Accounts), T1550.001 (Use Alternate Authentication Material: Application Access Token), and T1528 (Steal Application Access Token).

What to do now:

Inventory NHIs. You cannot govern what you have not enumerated. Start with Active Directory service accounts, cloud IAM service principals, and OAuth grants in your SaaS tenant.
Enforce least privilege. Service accounts created with domain admin rights “because it was easier” during deployment are the highest-risk targets. Scope permissions to the minimum required.
Implement rotation policies. API keys and service account passwords should have enforced rotation intervals. Persistent OAuth tokens should have configured expiration.
Monitor for anomalous NHI behavior. A service account that has logged in from the same IP at the same time every day for two years and suddenly authenticates from a new geography at 3 AM is a high-fidelity detection signal.
Include NHIs in access reviews. Quarterly access reviews should cover service accounts and API keys, not just human user accounts.

Detection Spotlight — DLL Side-Loading (T1574.002)

UAT-8302’s use of DLL side-loading is one of the most common initial execution techniques across Chinese APT groups. The detection approach focuses on identifying legitimate executables loading DLLs from unexpected paths.

The following Splunk SPL query identifies potential DLL side-loading by looking for known vulnerable executables loading DLLs from non-standard directories:

index=sysmon EventCode=7
| eval expected_path=case(
    ImageLoaded LIKE "%\\system32\\%", "expected",
    ImageLoaded LIKE "%\\Program Files%", "expected",
    ImageLoaded LIKE "%\\Windows\\%", "expected",
    true(), "unexpected"
  )
| where expected_path="unexpected"
| stats count by Image, ImageLoaded, Computer, User
| where count < 5
| sort - count

This query uses Sysmon Event ID 7 (Image Loaded) to detect DLLs loaded from non-standard paths. The count < 5 filter surfaces rare loading events — DLL side-loading attacks typically produce low-frequency, low-volume events because the attacker deploys the malicious DLL alongside a single legitimate binary. False positives include legitimate portable applications and developer tools running from user directories. Tune by baselining your environment and excluding known-good paths.

For environments running Microsoft Defender for Endpoint, the equivalent KQL:

DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where not(FolderPath startswith @"C:\Windows\")
    and not(FolderPath startswith @"C:\Program Files")
    and not(FolderPath startswith @"C:\Program Files (x86)")
| summarize LoadCount=count(), DistinctDevices=dcount(DeviceName) by InitiatingProcessFileName, FolderPath, FileName
| where LoadCount < 5
| sort by LoadCount asc

References

Cisco Talos — UAT-8302 APT Research — Cisco Talos
Cisco Acquires Astrix Security — SecurityWeek
DigiCert Certificate Revocation — SecurityWeek
CloudZ RAT Pheno Plugin — Cisco Talos
MOVEit Automation Critical Auth Bypass — BleepingComputer
Weaver E-cology RCE CVE-2026-22679 — The Hacker News
Microsoft Code of Conduct AiTM Campaign — Microsoft Security Blog
Karakurt Negotiator Sentenced — BleepingComputer
Trellix Source Code Breach — BleepingComputer
ScarCruft BirdCall Android Malware — BleepingComputer
Amazon SES Phishing Abuse — BleepingComputer
MITRE ATT&CK T1574.002 — DLL Side-Loading — MITRE
MITRE ATT&CK T1078.004 — Valid Accounts: Cloud Accounts — MITRE
MITRE ATT&CK T1528 — Steal Application Access Token — MITRE

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.