China-linked UAT-7290 spies on telco in South Asia and Europe using modular malware

China-linked UAT-7290 has targeted South Asia and Southeastern Europe since 2022, conducting espionage and deploying RushDrop, DriveSwitch, and SilentRaid.

China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe.

UAT-7290 primarily targets telecom providers, it conducts espionage by deeply embedding in victim networks and also operates Operational Relay Box (ORB) infrastructure later reused by other China-nexus actors, suggesting a dual role as both espionage and initial-access provider.

The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices, favoring Linux malware but also deploying Windows implants like RedLeaves and ShadowPad. Attacks are preceded by extensive reconnaissance and rely on PoC exploits and SSH brute force. Its TTPs, infrastructure, and victimology overlap with known China-aligned groups such as APT10 and Red Foxtrot, linked to PLA Unit 69010.

“Talos currently tracks the Linux-based malware families associated with UAT-7290 in this intrusion as:

• RushDrop – The dropper that kickstarts the infection chain. RushDrop is also known as ChronosRAT.
• DriveSwitch – A peripheral malware used to execute the main implant on the infected system.
• SilentRaid – The main implant in the intrusion meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware. SilentRaid is also known as MystRodX.” reads the report published by Cisco Talos.

“Another malware implanted on compromised devices by UAT-7290 is Bulbature. Bulbature, first disclosed by Sekoia in late 2024, is an implant that is used to convert compromised devices into ORBs.”

The attack chain starts with RushDrop, a dropper that checks for sandboxes and then creates a hidden folder to deploy three components: DriveSwitch, SilentRaid, and a legitimate BusyBox utility.

The role of DriveSwitch is to launch SilentRaid, the main backdoor. SilentRaid is modular malware that contacts a command-and-control server and executes tasks through built-in plugins. These plugins enable remote shells, file access, port forwarding, command execution, and data collection, including system files and certificate details. Another tool, Bulbature, provides additional backdoor capabilities, gathers system info, manages multiple C2 addresses, and opens reverse shells. Bulbature uses hardcoded or encoded C2 data and, in recent versions, a self-signed certificate linked to infrastructure in China and Hong Kong, commonly associated with China-nexus threat actors.

“we have observed technical indicators that overlap with RedLeaves, a malware family attributed to APT10 (a.k.a. MenuPass, POTASSIUM and Purple Typhoon), as well as infrastructure associated with ShadowPad, a malware family used by a variety of China-nexus adversaries.” concludes the report.

“Additionally, UAT-7290 shares a significant amount of overlap in victimology, infrastructure, and tooling with a group publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot to Chinese People’s Liberation Army (PLA) Unit 69010.”

The report includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)