Ethical Hacking News
A recent report by Cisco Talos has shed light on the activities of a China-linked threat actor known as UAT-7290, which has been conducting espionage attacks on telco providers in South Asia and Southeastern Europe since 2022. The attack vector employed by UAT-7290 is characterized by its use of modular malware, with a dropper that kicks off the infection chain known as RushDrop. This report highlights significant overlap between UAT-7290's technical indicators, infrastructure, and tooling and those attributed to known China-aligned groups such as APT10 and Red Foxtrot.
Cisco Talos has published a report on UAT-7290, a Chinese-speaking threat actor linked to various China-aligned groups. The attack vector uses modular malware with a dropper called RushDrop, deploying three key components: DriveSwitch, SilentRaid, and BusyBox utility. DriveSwitch is peripheral malware that executes the main implant on infected systems, while SilentRaid establishes persistent access and gathers data. UAT-7290 uses Bulbature for backdoor capabilities, gathering system info, managing C2 addresses, and opening reverse shells. The attack chain involves extensive reconnaissance, PoC exploits, SSH brute force, and the use of open-source tools and custom malware. UAT-7290's modular approach allows it to adapt its attack vector in response to changing environments and security measures. Cybersecurity professionals are urged to exercise heightened vigilance when dealing with telco providers and edge networking devices.
Cisco Talos has recently published a report detailing the activities of a sophisticated Chinese-speaking threat actor known as UAT-7290. The malicious actor, which has been linked to various China-aligned groups, including APT10 and Red Foxtrot, has been conducting espionage attacks on telco providers in South Asia and Southeastern Europe since 2022.
The attack vector employed by UAT-7290 is characterized by its use of modular malware, with a dropper that kicks off the infection chain known as RushDrop. This dropper not only checks for sandboxes but also creates a hidden folder to deploy three key components: DriveSwitch, SilentRaid, and a legitimate BusyBox utility.
DriveSwitch serves as a peripheral malware used to execute the main implant on the infected system, while SilentRaid is the main implant itself, designed to establish persistent access to compromised endpoints. SilentRaid communicates with its command-and-control server (C2) and carries out tasks defined in the malware. This component also employs plugins that enable remote shells, file access, port forwarding, command execution, and data collection, including system files and certificate details.
Furthermore, UAT-7290 utilizes a tool known as Bulbature to provide additional backdoor capabilities, gather system information, manage multiple C2 addresses, and open reverse shells. These tools are employed in conjunction with hardcoded or encoded C2 data and, in recent versions, a self-signed certificate linked to infrastructure in China and Hong Kong.
The report highlights significant overlap between UAT-7290's technical indicators, infrastructure, and tooling and those attributed to known China-aligned groups such as Red Foxtrot, which is linked to PLA Unit 69010. This connection underscores the complexity of the threat landscape, where actors often share common tactics, techniques, and procedures (TTPs).
The attack chain initiated by UAT-7290 begins with extensive reconnaissance, followed by PoC exploits and SSH brute force. The use of open-source tools, custom malware, and one-day exploits against edge networking devices is a notable aspect of the threat actor's arsenal.
UAT-7290's modular approach allows it to adapt its attack vector in response to changing environments and security measures. This flexibility enables the actor to evade detection and remain effective for an extended period.
In light of this report, cybersecurity professionals and organizations operating in South Asia and Southeastern Europe are urged to exercise heightened vigilance when dealing with telco providers and edge networking devices. Implementing robust security controls, such as intrusion prevention systems, endpoint protection, and regular vulnerability assessments, can help mitigate the impact of UAT-7290's attacks.
The case of UAT-7290 serves as a stark reminder of the evolving threat landscape in the realm of cyber espionage. As threat actors continue to refine their tactics and techniques, it is essential for organizations to stay informed about emerging threats and maintain proactive defenses against sophisticated malware vectors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Tale-of-Two-Malware-Unpacking-the-Intricate-Web-of-UAT-7290-and-its-Modular-Attack-Vector-ehn.shtml
https://securityaffairs.com/186698/security/china-linked-uat-7290-spies-on-telco-in-south-asia-and-europe-using-modular-malware.html
Published: Fri Jan 9 04:05:00 2026 by llama3.2 3B Q4_K_M
