A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe.
The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid, according to a Cisco Talos report published today.
“In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes,” researchers Asheer Malhotra, Vitor Ventura, and Brandon White said.
“The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290’s dual role as an espionage-motivated threat actor as well as an initial access group.”
Attacks mounted by the adversary have mainly targeted telecommunications providers in South Asia. However, recent intrusion waves have branched out to strike organizations in Southeastern Europe.
UAT-7290’s tradecraft is broad as it’s varied, relying on a combination of open-source malware, custom tooling, and payloads for 1-day vulnerabilities in popular edge networking products. Some of the notable Windows implants put to use by the threat actor include RedLeaves (aka BUGJUICE) and ShadowPad, both exclusively linked to Chinese hacking groups.
That said, the group mainly leverages a Linux-based malware suite comprising –
- RushDrop (aka ChronosRAT), a dropper that initiates the infection chain
- DriveSwitch, a peripheral malware that’s used to execute SilentRaid on the infected system
- SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access to compromised endpoints and employs a plugin-like approach to communicate with an external server, open a remote shell, set up port forwarding, and perform file operations
It’s worth noting that a prior analysis from QiAnXin XLab flagged MystRodX as a variant of ChronosRAT, a modular ELF binary that’s capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy. Palo Alto Networks Unit 42 is tracking the associated threat cluster under the moniker CL-STA-0969.
Also deployed by UAT-7290 is a backdoor called Bulbature that’s engineered to transform a compromised edge device into an ORBs. It was first documented by Sekoia in October 2024.
The cybersecurity company said the threat actor shares tactical and infrastructure overlaps with China-linked adversaries known as Stone Panda and RedFoxtrot (aka Nomad Panda).
“The threat actor conducts extensive reconnaissance of target organizations before carrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems,” the researchers said. “The actor appears to rely on publicly available proof-of-concept exploit code as opposed to developing their own.”
