China’s UAT-7290: A Dual-Threat Cyber Espionage Powerhouse Emerges
A sophisticated, China-nexus threat actor, identified as UAT-7290, has been meticulously targeting telecommunications entities across South Asia and Southeastern Europe. Active since at least 2022, this group is not merely content with traditional espionage; it also plays a critical dual role as an initial access broker, establishing Operational Relay Box (ORB) nodes for other China-linked adversaries.
According to a recent Cisco Talos report, UAT-7290’s operations are characterized by extensive technical reconnaissance, laying the groundwork for deep infiltration. Researchers Asheer Malhotra, Vitor Ventura, and Brandon White highlight that beyond burrowing deep into victim networks for espionage, UAT-7290’s tactics and tooling indicate a strategic effort to build ORB infrastructure. This infrastructure then serves as a launchpad for other China-nexus actors, underscoring UAT-7290’s significant and multifaceted threat.
Unmasking the Modus Operandi
Initially focusing on telecommunications providers in South Asia, UAT-7290 has recently expanded its reach, launching intrusion waves against organizations in Southeastern Europe. The group’s tradecraft is both broad and adaptable, leveraging a potent mix of open-source malware, custom-developed tools, and exploits for one-day vulnerabilities in popular edge networking products.
While the threat actor has deployed notable Windows implants like RedLeaves (aka BUGJUICE) and ShadowPad – both exclusively linked to Chinese hacking groups – their primary focus appears to be a robust Linux-based malware suite:
- RushDrop (aka ChronosRAT): A dropper designed to initiate the infection chain.
- DriveSwitch: Peripheral malware used to execute SilentRaid on compromised systems.
- SilentRaid (aka MystRodX): A C++-based implant establishing persistent access, offering capabilities like remote shells, port forwarding, and file operations via a plugin-like architecture. Prior analysis by QiAnXin XLab identified MystRodX as a variant of ChronosRAT, a modular ELF binary with extensive capabilities including shellcode execution, file management, keylogging, and screenshot capture.
Building the ORB Network: Initial Access for Other State-Sponsored Actors
A distinctive element of UAT-7290’s operations is the deployment of a backdoor named Bulbature. First documented by Sekoia in October 2024, Bulbature transforms compromised edge devices into ORB nodes. This strategic move suggests UAT-7290’s role extends beyond direct espionage, positioning them as a crucial enabler for broader Chinese state-sponsored cyber operations.
Tactics and Overlaps with Notorious Chinese Groups
UAT-7290’s initial access strategy heavily relies on exploiting one-day vulnerabilities and targeted SSH brute force attacks against public-facing edge devices. The group appears to favor publicly available proof-of-concept exploit code over developing their own, a common tactic among resourceful state-backed actors seeking efficiency.
Cybersecurity firm Sekoia has also noted tactical and infrastructure overlaps between UAT-7290 and other well-known China-linked adversaries, including Stone Panda and RedFoxtrot (aka Nomad Panda). This suggests a potential collaborative ecosystem or shared resources within the broader Chinese cyber espionage landscape. Palo Alto Networks Unit 42 tracks this cluster under the moniker CL-STA-0969.
The Expanding Reach: From South Asia to Southeastern Europe
The expansion of UAT-7290’s targeting from South Asia to Southeastern Europe signals a growing ambition and capability. Telecommunication networks, being critical infrastructure, offer not only valuable intelligence but also strategic access points for further malicious operations, making them prime targets for sophisticated state-sponsored groups like UAT-7290.
For more details, visit our website.
Source: Link
Leave a comment