Listen to this Post
China-linked threat actor UAT-7290 has emerged as a sophisticated espionage group operating since at least 2022, targeting telecom providers in South Asia and Southeastern Europe. The group demonstrates a dual role: infiltrating networks for intelligence gathering while providing infrastructure later leveraged by other China-aligned cyber actors. Its operations highlight the strategic targeting of telecommunications, emphasizing both technical sophistication and geopolitical intent.
Espionage Tactics and Targeting Strategy
UAT-7290 focuses primarily on telecom operators, using extensive reconnaissance and advanced intrusion methods to deeply embed within victim networks. The group leverages Operational Relay Box (ORB) infrastructure, which is later reused by other China-nexus actors, signaling its dual purpose as both an espionage unit and an initial-access provider. Its activities reveal a consistent pattern of targeting critical communication infrastructure in geopolitically sensitive regions.
Sophisticated Malware Toolset
The actor employs a broad and adaptive toolset, combining open-source utilities, custom malware, and zero-day exploits, particularly against edge networking devices. While favoring Linux malware, UAT-7290 also deploys Windows implants such as RedLeaves and ShadowPad. Its attacks typically begin with PoC exploits and SSH brute-force attempts, preceded by careful reconnaissance to identify vulnerable targets.
Key Malware Families: RushDrop, SilentRaid, and Bulbature
The attack chain usually starts with RushDrop, a dropper designed to bypass sandboxes and deploy three core components: DriveSwitch, SilentRaid, and a legitimate BusyBox utility. DriveSwitch triggers SilentRaid, a modular backdoor capable of executing remote commands, accessing files, forwarding ports, and harvesting sensitive system data. Another critical implant, Bulbature, converts compromised devices into ORBs, enabling multiple C2 connections, reverse shells, and additional system monitoring. Bulbature’s use of hardcoded or encoded C2 data and self-signed certificates tied to infrastructure in China and Hong Kong further confirms its connection to China-aligned threat actors.
Links to Known China-Aligned Threat Actors
Talos researchers have identified overlaps in UAT-7290’s malware, infrastructure, and victimology with groups like APT10 and Red Foxtrot, both linked to PLA Unit 69010. Malware such as RedLeaves and ShadowPad has been observed alongside UAT-7290 campaigns, reinforcing its alignment with long-standing Chinese cyber operations. Recorded Future previously linked Red Foxtrot to the PLA, suggesting a continuity of espionage objectives across multiple campaigns. Indicators of compromise (IoCs) have been published to assist organizations in detecting and mitigating these threats.
What Undercode Say: Analytical Insights into UAT-7290 Operations
UAT-7290 represents a modern evolution of state-aligned cyber espionage, blending traditional intelligence tactics with advanced digital intrusion methods. Its dual role—espionage and infrastructure provision—reflects a strategic approach where initial access serves both immediate intelligence goals and broader operational reuse. The actor’s focus on telecom networks is significant, as these systems provide access not only to subscriber data but also to broader communications infrastructure, including internet backbones and mobile switching centers.
The malware chain, particularly RushDrop → DriveSwitch → SilentRaid → Bulbature, demonstrates layered operational sophistication. Each stage serves a distinct function: evasion, persistence, modular control, and network expansion. SilentRaid’s plugin architecture is particularly concerning, enabling the actor to execute an array of tasks remotely without redeploying malware, illustrating the modularity and adaptability of modern espionage campaigns. Bulbature’s transformation of compromised systems into ORBs indicates that UAT-7290 isn’t just stealing data—it’s creating a reusable espionage network for future operations by itself or allied actors.
Technical overlaps with APT10 and Red Foxtrot reveal both historical continuity and operational convergence. UAT-7290 appears to share not just tools, but infrastructure and targeting patterns with these groups, suggesting either coordination or shared operational doctrine within China-nexus cyber operations. The use of Linux malware alongside Windows implants reflects an awareness of diverse network environments, maximizing persistence in heterogeneous telecom systems.
The targeting methodology—extensive reconnaissance, PoC exploit usage, and SSH brute-force attacks—highlights a meticulous, patient approach rather than opportunistic hacking. This indicates strategic intent, likely linked to long-term intelligence gathering rather than immediate financial gain. The geographic focus on South Asia and Southeastern Europe aligns with broader Chinese geopolitical interests, providing potential insights into both civilian and military communications networks.
Organizations should note the modular and multi-platform nature of UAT-7290’s malware. Incident response strategies need to account for layered intrusion chains and potential lateral movement across networks. Indicators of compromise, particularly associated with ORB infrastructure and self-signed C2 certificates, can help defenders anticipate and mitigate attacks.
In addition, the reuse of ORB infrastructure by other actors implies that a single breach can extend far beyond initial targets. This underlines the need for network segmentation, continuous monitoring, and cross-organization threat intelligence sharing to reduce exposure. As UAT-7290 demonstrates, advanced persistent threats (APTs) are no longer confined to direct espionage—they are network creators, enabling prolonged, multi-actor cyber campaigns.
From a defensive standpoint, enterprises and telecom operators must enhance Linux and Windows monitoring capabilities, implement multi-factor authentication for SSH, and maintain robust patching cycles for edge networking devices. Detection strategies must evolve to identify subtle modular malware activity rather than relying solely on traditional signatures.
Overall, UAT-7290 exemplifies a shift in cyber espionage: an actor combining high technical skill, strategic patience, and network utility to create a reusable and persistent operational platform. Its activity serves as a case study for modern state-aligned cyber campaigns and underscores the ongoing risks to critical infrastructure worldwide.
Fact Checker Results
✅ UAT-7290 is linked to China-aligned cyber operations.
✅ The malware families include Linux-focused SilentRaid and ORB-enabling Bulbature.
❌ There is no confirmed evidence that UAT-7290 conducts financially motivated attacks; its focus is espionage.
Prediction
📊 UAT-7290 is likely to expand its ORB infrastructure, enabling more sophisticated campaigns targeting telecom networks in Europe, South Asia, and potentially Southeast Asia. Analysts should anticipate modular malware evolution with enhanced stealth features, especially on Linux servers, and potential collaboration with other China-nexus APTs to amplify espionage reach.
If you want, I can also turn this into a fully SEO-optimized, media-ready article with attention-grabbing subheadings and keyword-rich formatting for publication. Do you want me to do that next?
▶️ Related Video (88% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
