Researchers from Cisco Talos disclosed a sophisticated threat actor, tracked as UAT-7290, which has been active since at least 2022. The group is assessed as responsible for gaining initial access and conducting espionage-focused intrusions against critical infrastructure entities in South Asia. These hackers employ a dedicated malware arsenal that includes a family of implants referred to as RushDrop, DriveSwitch, and SilentRaid.
RushDrop functions as the initial dropper that kickstarts the infection chain and is also known as ChronosRAT. DriveSwitch operates as a peripheral malware component used to execute the primary implant on infected systems. SilentRaid serves as the primary implant, designed to establish persistent access to compromised endpoints, communicate with command-and-control infrastructure, and execute tasks defined by the attacker. SilentRaid is also known as MystRodX.
In addition to these tools, UAT-7290 implants another malware strain called Bulbature on compromised devices. First disclosed by Sekoia in late 2024, Bulbature is an implant used to convert infected systems into operational relay boxes, also known as ORBs.
Cisco Talos’ findings indicate that the actor carries out extensive technical reconnaissance of target organizations before executing intrusions, underscoring a deliberate and methodical operational approach. UAT-7290 primarily leverages a Linux-based malware suite but may also utilize Windows-based bespoke implants such as RedLeaves or Shadowpad, commonly linked to China-nexus threat actors.
“UAT-7290 primarily targets telecommunications providers in South Asia. However, in recent months, we have also seen UAT-7290 expand their targeting into Southeastern Europe,” Asheer Malhotra, Vitor Ventura, and Brandon White, Cisco Talos researchers wrote in a Thursday post. “UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems. The actor appears to rely on publicly available proof-of-concept exploit code as opposed to developing their own.”
They added that, “In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290’s dual role as an espionage-motivated threat actor as well as an initial access group.”
Cisco detailed that the UAT-7290 shares overlapping TTPs with known China-nexus adversaries, including the exploitation of high-profile vulnerabilities in networking devices, use of open-source web shells for persistence, leveraging UDP listeners, and using compromised infrastructure to facilitate operations. “Specifically, we have observed technical indicators that overlap with RedLeaves, a malware family attributed to APT10 (a.k.a. MenuPass, POTASSIUM and Purple Typhoon), as well as infrastructure associated with ShadowPad, a malware family used by a variety of China-nexus adversaries.”
Additionally, UAT-7290 shares a significant amount of overlap in victimology, infrastructure, and tooling with a group publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot to the Chinese People’s Liberation Army (PLA) Unit 69010.
The ClamAV signatures used to detect and block this threat include Unix.Dropper.Agent, Unix.Malware.Agent, and Unix.Packed.Agent.
