A China-nexus actor known as UAT-7290 has mounted espionage-focused intrusions against telecommunications providers in South Asia and has recently expanded operations into Southeastern Europe. The cluster has been active since at least 2022.
KEY FACTS
- Incident Espionage intrusions targeting telecommunications providers
- Actor UAT-7290 active since at least 2022
- Malware Uses RushDrop, DriveSwitch and SilentRaid plus Windows implants
- Tactics Compromises edge devices and may operate Operational Relay Box nodes
In a technical analysis by Cisco Talos, researchers attributed the activity to UAT-7290.
The actor conducts extensive reconnaissance of target organizations before intrusions and often compromises public facing edge devices to gain initial access.
The group primarily uses a Linux malware chain that begins with RushDrop, uses DriveSwitch to deploy SilentRaid, and deploys Windows implants including RedLeaves and ShadowPad for follow on access.
UAT-7290 installs a backdoor called Bulbature to convert compromised edge devices into Operational Relay Box nodes that can be used by other actors.
Tactical and infrastructure overlaps with Stone Panda and RedFoxtrot are present. The actor exploits one day vulnerabilities and uses target specific SSH brute force to escalate privileges.
WHY IT MATTERS
The activity highlights risks to network edge devices and telecommunications infrastructure and the potential for compromised relay nodes to be reused in wider campaigns.