China-Nexus Threat Actor UAT-7290 Linked to Espionage Activities
data-original-height=”470″ data-original-width=”900″ />A recent report by Cisco Talos has linked a China-nexus threat actor known as UAT-7290 to espionage-focused intrusions targeting entities in South Asia and Southeastern Europe. The group, active since at least 2022, conducts extensive technical reconnaissance before deploying malware families like RushDrop, DriveSwitch, and SilentRaid.
According to researchers Asheer Malhotra, Vitor Ventura, and Brandon White, UAT-7290 not only engages in espionage attacks but also establishes Operational Relay Box (ORBs) nodes that may be utilized by other China-linked actors for malicious operations.
Telecommunications providers in South Asia have been the primary targets of UAT-7290, with recent attacks expanding to organizations in Southeastern Europe. The threat actor’s arsenal includes a mix of open-source malware, custom tools, and payloads for exploiting 1-day vulnerabilities in popular edge networking products.
The group’s Linux-based malware suite consists of RushDrop, DriveSwitch, and SilentRaid, each serving a specific function in the infection chain. Additionally, UAT-7290 deploys a backdoor named Bulbature, capable of turning compromised devices into ORBs.
UAT-7290’s tactics overlap with China-linked adversaries such as Stone Panda and RedFoxtrot, showcasing a sophisticated approach that leverages one-day exploits and SSH brute force to compromise systems.
