China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. This activity cluster, active since at least 2022, focuses on extensive technical reconnaissance of target organizations before initiating attacks, leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid, according to a Cisco Talos report published today.

Researchers Asheer Malhotra, Vitor Ventura, and Brandon White stated, “In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes.” These ORB infrastructures may then be used by other China-nexus actors in their malicious operations, suggesting a dual role for UAT-7290 as both an espionage-motivated threat actor and an initial access group.

Attacks have primarily targeted telecommunications providers in South Asia, but recent intrusion waves have also struck organizations in Southeastern Europe. UAT-7290’s tradecraft is varied, relying on a combination of open-source malware, custom tooling, and payloads for one-day vulnerabilities in popular edge networking products. Notable Windows implants used by the threat actor include RedLeaves (aka BUGJUICE) and ShadowPad, both linked to Chinese hacking groups.

The group primarily uses a Linux-based malware suite including: RushDrop (aka ChronosRAT), a dropper that initiates the infection chain; DriveSwitch, a peripheral malware employed to execute SilentRaid on the infected system; and SilentRaid (aka MystRodX), a C++-based implant allowing persistent access to compromised endpoints, able to communicate with an external server, open a remote shell, set up port forwarding, and perform file operations.

Additionally, a prior analysis from QiAnXin XLab flagged MystRodX as a variant of ChronosRAT, capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy. Another backdoor deployed by UAT-7290, called Bulbature, transforms a compromised edge device into an ORB. It was first documented by Sekoia in October 2024.

The cybersecurity company noted overlaps in tactics and infrastructure with other China-linked adversaries known as Stone Panda and RedFoxtrot (aka Nomad Panda). Researchers noted that UAT-7290 uses one-day exploits and target-specific SSH brute force to compromise public-facing edge devices for initial access and privilege escalation on compromised systems.