A sophisticated China-linked threat actor known as UAT-7290 has expanded its cyber-espionage operations beyond South Asia, now targeting telecommunications providers and organizations in Southeastern Europe, according to a new report from Cisco Talos.
Active since at least 2022, UAT-7290 primarily targets telecom networks using Linux-based malware, while occasionally deploying well-known Windows backdoors such as RedLeaves and ShadowPad. Researchers say the group also acts as an initial access broker, setting up Operational Relay Box (ORB) infrastructure that is later reused by other China-aligned hacking groups.
Cisco Talos notes that the attackers conduct extensive reconnaissance before breaching networks. They exploit known vulnerabilities in public-facing edge devices, use one-day exploits, and carry out targeted SSH brute-force attacks to gain initial access and escalate privileges. Once inside, the group deploys a mix of custom-built malware, open-source tools, and public exploits.
The group’s Linux malware arsenal includes RushDrop (ChronosRAT), which initiates infections; DriveSwitch, used to launch payloads; and SilentRaid (MystRodX), a persistent implant capable of remote command execution, port forwarding, file access, credential harvesting, and certificate data collection. Another tool, Bulbature, is used to convert compromised systems into ORBs and has been linked to over 140 China- and Hong Kong-based hosts tied to other malware families like GobRAT, SuperShell, and Cobalt Strike.
Cisco Talos has shared technical details and indicators of compromise (IOCs) to help defenders detect and block UAT-7290 activity, warning that telecom providers and critical infrastructure operators remain high-value targets for state-backed cyber-espionage campaigns.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
