Ethical Hacking News
UAT-7290, a new China-nexus threat actor, has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The group targets telecommunications providers with Linux malware and Operational Relay Box (ORB) nodes, highlighting the growing sophistication of China-linked threat actors.
UAT-7290 is a new China-nexus threat actor attributed to espionage-focused intrusions in South Asia and Southeastern Europe.The group targets telecommunications providers with Linux malware and Operational Relay Box (ORB) nodes.UAT-7290's tradecraft involves open-source malware, custom tooling, and payloads for 1-day vulnerabilities in popular edge networking products.The group leverages a Linux-based malware suite comprising RushDrop, DriveSwitch, and SilentRaid.UAT-7290 shares tactical and infrastructure overlaps with China-linked adversaries Stone Panda and RedFoxtrot (aka Nomad Panda).The group deploys backdoors like Bulbature to transform compromised edge devices into ORB nodes.The emergence of UAT-7290 highlights the growing sophistication of China-linked threat actors in espionage-focused intrusions.
In a recent report published by Cisco Talos, a team of researchers has identified a new China-nexus threat actor known as UAT-7290. The group has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe, targeting telecommunications providers with Linux malware and Operational Relay Box (ORB) nodes.
The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid. According to Asheer Malhotra, Vitor Ventura, and Brandon White, researchers at Cisco Talos, "The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage-motivated threat actor as well as an initial access group."
UAT-7290's tradecraft is broad and varied, relying on a combination of open-source malware, custom tooling, and payloads for 1-day vulnerabilities in popular edge networking products. The group mainly leverages a Linux-based malware suite comprising RushDrop (aka ChronosRAT), a dropper that initiates the infection chain; DriveSwitch, a peripheral malware used to execute SilentRaid on the infected system; and SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access to compromised endpoints and employs a plugin-like approach to communicate with an external server.
The researchers noted that UAT-7290 shares tactical and infrastructure overlaps with China-linked adversaries known as Stone Panda and RedFoxtrot (aka Nomad Panda). "The threat actor conducts extensive reconnaissance of target organizations before carrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems," the researchers said.
Furthermore, UAT-7290 has been found to deploy a backdoor called Bulbature that's engineered to transform a compromised edge device into an ORB node. This was first documented by Sekoia in October 2024. The group also shares a notable Windows implant, RedLeaves (aka BUGJUICE), which is exclusively linked to Chinese hacking groups.
According to QiAnXin XLab, MystRodX is a variant of ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy. Palo Alto Networks Unit 42 is tracking the associated threat cluster under the moniker CL-STA-0969.
The emergence of UAT-7290 highlights the growing sophistication of China-linked threat actors in their espionage-focused intrusions. As the global cybersecurity landscape continues to evolve, it's essential for organizations to stay vigilant and implement robust security measures to protect themselves against such threats.
UAT-7290, a new China-nexus threat actor, has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The group targets telecommunications providers with Linux malware and Operational Relay Box (ORB) nodes, highlighting the growing sophistication of China-linked threat actors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-China-Nexus-Threat-Actor-Emerges-UAT-7290-Targets-Telecoms-with-Linux-Malware-and-ORB-Nodes-ehn.shtml
https://thehackernews.com/2026/01/china-linked-uat-7290-targets-telecoms.html
https://blog.talosintelligence.com/uat-7290/
Published: Thu Jan 8 09:28:34 2026 by llama3.2 3B Q4_K_M
