UAT-7290’s Campaign Against Telecom Networks in South Asia

Published Date: January 16, 2026
Category: ShadowOpsIntel
Share:

Cisco Talos has identified a sophisticated cyber-espionage campaign conducted by UAT-7290, a China-nexus Advanced Persistent Threat (APT) group active since at least 2022. The group’s operations primarily target telecommunications infrastructure across South Asia, with recent expansions into Southeastern Europe. UAT-7290’s activities are characterized by strategic reconnaissance, targeted exploitation of edge networking devices, and deployment of custom malware implants designed for persistence, data exfiltration, and operational relay.

Severity: High

Threat Actor Background

UAT-7290 operates as part of a state-linked espionage apparatus aligned with Chinese cyber objectives. The group’s tooling, infrastructure, and victimology closely resemble other known Chinese APTs such as APT10 (MenuPass, Purple Typhoon) and Red Foxtrot (PLA Unit 69010).

Talos assesses with high confidence that UAT-7290 serves a dual function – acting both as an initial access broker for other China-based actors and as an espionage-focused operator.

Targeting And Objectives

  • Primary Sector: Telecommunications
  • Regions Targeted: South Asia (mainly telecom operators and backbone network providers), expanding into Southeastern Europe
  • Objective: Long-term infiltration, data exfiltration, and conversion of compromised devices into Operational Relay Box (ORB) nodes – effectively forming a proxy infrastructure used by multiple threat groups.

Infection Chain And Malware Arsenal

UAT-7290 employs a multi-stage intrusion chain, leveraging Linux-based malware designed for persistence and control.

  1. Initial Access:
    • Uses one-day vulnerabilities in edge networking devices and target-specific SSH brute-force attacks.
    • Often relies on public proof-of-concept exploits rather than bespoke 0-days.
  2. Malware Components:
    • RushDrop (ChronosRAT): Initial dropper, establishes infection by unpacking multiple embedded binaries into a hidden folder .pkgdb.
    • DriveSwitch: Executes the main payload (SilentRaid) after installation.
    • SilentRaid (MystRodX): Core implant providing backdoor access, modular plugins for C2 communication, port forwarding, remote shell, and file management.
    • Bulbature: Converts devices into ORB nodes, maintains encoded C2 configuration files in /tmp directories and communicates through self-signed certificates.

MITRE ATT&CK

TacticTechniqueIDDetails
ReconnaissanceGather Victim Host InformationT1592Conducts extensive technical reconnaissance before intrusions.
Resource DevelopmentDevelop Capabilities: MalwareT1587.001Custom development of RushDrop, DriveSwitch, SilentRaid, and Bulbature.
Initial AccessExploit Public-Facing ApplicationT1190Exploits one-day vulnerabilities in edge networking devices.
Initial AccessBrute Force: Password GuessingT1110.001Uses SSH brute force to gain access.
ExecutionCommand and Scripting Interpreter: Unix ShellT1059.004Executes commands via busybox or /bin/sh.
PersistenceCreate or Modify System Process: Unix ServiceT1543.003Establishes persistence through system-level implants.
Privilege EscalationExploitation for Privilege EscalationT1068Leverages 1-day vulnerabilities to escalate privileges.
Defense EvasionObfuscated Files or InformationT1027Uses UPX compression and encoded configs.
Defense EvasionVirtualization/Sandbox EvasionT1497.003Performs anti-VM and sandbox checks before execution.
Credential AccessUnsecured Credentials: /etc/passwdT1552.001Reads /etc/passwd for system reconnaissance and credentials.
DiscoverySystem Information DiscoveryT1082Executes echo $(whoami) $(uname -nrm) to collect system info.
DiscoverySystem Network Configuration DiscoveryT1016Executes cat /proc/net/route to obtain network interface info.
Command and ControlApplication Layer Protocol: Web TrafficT1071.001Communicates with C2 over HTTP/S using encoded configurations.
Command and ControlEncrypted Channel: SSL/TLST1573.001Uses self-signed SSL certificate for secure C2 communications.

Recommendations

  1. Apply firmware and OS updates immediately for all edge networking devices (firewalls, load balancers, VPNs, routers).
  2. Restrict management access to edge devices (routers, firewalls, VPN concentrators) using IP whitelisting or jump hosts.
  3. Disable unused services and protocols on Linux-based devices (especially SSH, Telnet, HTTP administrative interfaces).
  4. Enforce multi-factor authentication (MFA) for all SSH and web-based administrative logins.
  5. Rotate administrator credentials and audit for brute-force SSH attempts from unknown IP addresses.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/53817bf38962e6cc5994b8decb6ea890c620a57b4ab603538abd534b2f1d9b05/iocs

Source:

  • https://blog.talosintelligence.com/uat-7290/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us