Cybersecurity researchers have attributed a series of espionage driven cyber intrusions to a China linked threat actor tracked as UAT 7290, which has been actively targeting organizations across South Asia and Southeastern Europe.
According to a new report published by Cisco Talos, the activity cluster has been operational since at least 2022 and is known for conducting deep technical reconnaissance before launching attacks. These intrusions eventually result in the deployment of multiple malware families, including RushDrop, DriveSwitch, and SilentRaid.
Dual Role as Espionage Actor and Access Broker
Researchers Asheer Malhotra, Vitor Ventura, and Brandon White stated that UAT 7290 not only infiltrates enterprise networks for intelligence gathering but also establishes Operational Relay Box (ORB) nodes. These ORBs can later be reused by other China aligned threat groups, suggesting that UAT 7290 functions both as an espionage focused actor and an initial access provider.
This dual purpose significantly increases the long term impact of the group’s operations by enabling follow on attacks conducted by allied threat clusters.
Targeted Regions and Victim Profile
The majority of observed attacks have focused on telecommunications providers operating in South Asia. However, more recent intrusion campaigns indicate an expansion into organizations located in Southeastern Europe, marking a geographic shift in targeting priorities.
Malware Arsenal and Attack Techniques
UAT 7290 employs a diverse toolkit that combines open source malware, custom developed components, and exploit payloads targeting one day vulnerabilities in widely used edge networking devices. On Windows systems, the group has been observed deploying implants such as RedLeaves, also known as BUGJUICE, and ShadowPad, both historically associated with Chinese state aligned hacking operations.
Despite this, the actor primarily relies on a Linux based malware framework composed of the following components.
- RushDrop, also known as ChronosRAT, which acts as the initial dropper and starts the infection chain
- DriveSwitch, a secondary utility used to launch SilentRaid on compromised systems
- SilentRaid, also tracked as MystRodX, a C plus plus based implant that maintains persistent access and supports modular plugins for remote shell access, port forwarding, file operations, and external server communication
Previous research by QiAnXin XLab identified MystRodX as a variant of ChronosRAT, a modular ELF malware capable of executing shellcode, managing files, logging keystrokes, forwarding ports, capturing screenshots, and acting as a proxy. Palo Alto Networks Unit 42 tracks this related activity under the designation CL STA 0969.
ORB Enablement and Infrastructure Overlap
UAT 7290 also deploys a backdoor named Bulbature, which is designed to convert compromised edge devices into ORB nodes. This backdoor was first documented by Sekoia in October 2024.
Cisco Talos further noted that UAT 7290 shares tactical behavior and infrastructure similarities with other China linked threat groups, including Stone Panda and RedFoxtrot, also referred to as Nomad Panda.
Initial Access and Exploitation Strategy
The threat actor is known for conducting prolonged reconnaissance prior to exploitation. Initial access is typically achieved through one day exploits and targeted SSH brute force attacks against exposed edge devices. Once inside, the actor escalates privileges to maintain long term control.
Researchers emphasized that UAT 7290 appears to rely heavily on publicly available proof of concept exploit code rather than developing proprietary exploits, enabling rapid weaponization of newly disclosed vulnerabilities.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
