Ethical Hacking News
A sophisticated threat actor linked to China has been detected breaching telcos using edge device exploits, leaving security experts concerned about potential national cyber espionage operations.
A sophisticated threat actor, UAT-7290, has been targeting telecommunications providers using Linux-based malware.The attackers conduct extensive reconnaissance before a breach and leverage one-day exploits to compromise public-facing edge devices.The UAT-7290 arsenal primarily consists of a Linux-based malware suite, including RushDrop (ChronosRAT), DriveSwitch, SilentRaid (MystRodX), and Bulbature.The malware used by UAT-7290 allows for remote shell access, port forwarding, file operations, directory archiving, and collection of X.509 certificate attributes.Cisco Talos provides technical details and indicators of compromise to help organizations defend against this threat actor.
A recent report by Cisco Talos has uncovered a sophisticated threat actor that has been targeting telecommunications providers, using Linux-based malware to conduct extensive reconnaissance and deploy custom and open-source malware to compromise public-facing edge devices. The attackers, tracked internally as UAT-7290, have strong China nexus indicators and typically focus on telcos in South Asia in their cyber-espionage operations.
Active since at least 2022, the UAT-7290 group serves as an initial access group by establishing an Operational Relay Box (ORB) infrastructure during attacks, which is then utilized by other China-aligned threat actors. The attackers conduct extensive reconnaissance before a breach and leverage one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems.
The UAT-7290 arsenal primarily consists of a Linux-based malware suite, with occasional deployments of Windows implants such as RedLeaves and ShadowPad. Cisco highlights several Linux malware families linked to UAT-7290, including RushDrop (ChronosRAT), DriveSwitch, SilentRaid (MystRodX), and Bulbature.
The RushDrop (ChronosRAT) initial dropper begins the infection chain by performing basic anti-VM checks, creating or verifying a hidden .pkgdb directory, and decoding three binaries embedded inside. The DriveSwitch peripheral component is dropped by RushDrop with the primary function to execute the SilentRaid implant on the compromised system.
The SilentRaid (MystRodX) main persistent implant is written in C++ and built around a plugin-based design. It performs basic anti-analysis checks, resolves its C2 domain using Google’s public DNS resolver; supports remote shell access, port forwarding, file operations, directory archiving with tar, access to /etc/passwd, and collection of X.509 certificate attributes.
The Bulbature Linux-based UPX-packed implant is used to convert compromised devices into Operational Relay Boxes (ORBs). It listens on configurable ports, opens reverse shells, and stores C2 configuration in /tmp/*.cfg, supports C2 rotation, and uses a self-signed TLS certificate.
Cisco Talos' report provides technical details about the malware used by UAT-7290, along with a list of indicators of compromise to help organizations defend against this threat actor. The report highlights the importance of monitoring for signs of these malicious activities and takes steps to prevent such attacks from happening in the first place.
Related Information:
https://www.ethicalhackingnews.com/articles/New-China-linked-hackers-breach-telcos-using-edge-device-exploits-A-Sophisticated-Threat-Actor-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/
Published: Thu Jan 8 17:46:53 2026 by llama3.2 3B Q4_K_M
