UAT-7290, a China-nexus threat actor, has been linked to espionage-focused intrusions against organizations in Southeastern Europe and South Asia This article explores attacks uat 7290. . According to a Cisco Talos report released today, the activity cluster, which has been active since at least 2022, mainly concentrates on thorough technical reconnaissance of target organizations prior to launching attacks, which eventually result in the deployment of malware families like RushDrop, DriveSwitch, and SilentRaid. According to researchers Asheer Malhotra, Vitor Ventura, and Brandon White, "their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes in addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise's network infrastructure."
"Other China-nexus actors may then use the ORB infrastructure in their malicious operations, indicating UAT-7290's dual role as an initial access group and a threat actor motivated by espionage." The adversary's attacks have mostly targeted South Asian telecom companies. However, organizations in Southeastern Europe have been targeted by recent waves of intrusion.
UAT-7290's tradecraft is broad as it's varied, relying on a combination of open-source malware, custom tooling, and payloads for 1-day vulnerabilities in popular edge networking products. RedLeaves (also known as BUGJUICE) and ShadowPad are two prominent Windows implants used by the threat actor that are only connected to Chinese hacking groups.
Nevertheless, the group primarily uses a Linux-based malware suite that includes: RushDrop (also known as ChronosRAT), a dropper that starts the infection chain; DriveSwitch, a peripheral malware that runs SilentRaid on the compromised system; and SilentRaid (also known as MystRodX), a C++-based implant that creates persistent access to compromised endpoints and uses a plugin-like method to connect to an external server, launch a remote shell, configure port forwarding, and carry out file operations. Notably, MystRodX was identified as a variant of ChronosRAT, a modular ELF binary with shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy capabilities, in a previous QiAnXin XLab analysis. The related threat cluster is being monitored by Palo Alto Networks Unit 42 under the name CL-STA-0969.
Bulbature, a backdoor designed to turn a compromised edge device into an ORB, is another tool used by UAT-7290. In October 2024, Sekoia recorded it for the first time. Before launching an intrusion, the threat actor thoroughly investigates the target organization.
To obtain initial access and escalate privileges on compromised systems, UAT-7290 uses target-specific SSH brute force and one-day exploits to compromise public-facing edge devices, according to the researchers. "Instead of creating their own exploit code, the actor seems to rely on publicly available proof-of-concept exploit code."