A China-linked hacking group tracked as UAT-8302 has been conducting targeted intrusions against government institutions in South America and southeastern Europe, deploying custom-built malware in what researchers at Cisco Talos describe as an ongoing advanced persistent threat campaign stretching from late 2024 into 2025.

Cisco Talos has identified a sophisticated Chinese state-linked hacking group, UAT-8302, that has been systematically targeting government institutions in South America since late 2024 and southeastern Europe in 2025, in what appears to be a coordinated espionage campaign spanning multiple continents.

Cisco Talos is tracking active exploitation of an authentication bypass vulnerability (CVE-2026-20182) affecting Cisco Catalyst SD-WAN Controller and SD-WAN Manager, core network management components used widely across enterprise and government environments.

A Cisco Talos blog post offering five practical cybersecurity priorities from their 2025 Year in Review to help defenders prioritize defensive efforts effectively. The guidance addresses the challenge of rapid attacker evolution and aims to reduce alert fatigue by focusing security teams on the most impactful defensive strategies.

Cisco Talos researchers uncovered an active intrusion campaign, running since at least January 2026, in which an unidentified attacker deployed the CloudZ remote access trojan alongside a newly discovered plugin called 'Pheno' — a tool not previously documented by the security community.

Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-speaking cyber crime groups operating under a malware-as-a-service (MaaS) model for continuous monetization.

Cisco Talos security researchers have begun systematically collecting phone numbers found in phishing and scam emails as a new indicator of compromise, and published analysis of patterns in phone number reuse across in-the-wild fraud campaigns.