China-Nexus Espionage APT UAT-7290 Targets Telecom Infrastructure in South Asia, Expands to Southeastern Europe
Published
Key Takeaways
- Target Profile: The unclassified threat actor UAT-7290 is conducting a cyber espionage campaign targeting high-value telecommunications infrastructure.
- Geographic Focus: The campaign is primarily concentrated on South Asian nations, posing a significant regional cybersecurity threat.
- Espionage Objective: The primary motive appears to be intelligence gathering, leveraging specialized malware to gain persistent access to critical networks.
A previously uncatalogued threat actor, designated UAT-7290, has been identified conducting a sophisticated cyberattack campaign aimed at high-value telecommunications infrastructure. This operation is geographically focused on organizations in South Asia, indicating a deliberate, targeted intelligence-gathering effort.
The China-Nexus state-sponsored advanced persistent threat (APT) group expanded its targeting into Southeastern Europe in recent months.
UAT-7290 Cyberattack Methodology
UAT-7290 cyberattacks focus on cyberespionage and persistent access and involve deploying custom malware. The threat actor uses a Linux-based malware suite, according to Cisco Talos Intelligence:
- RushDrop (also known as ChronosRAT) – Dropper that kickstarts the infection chain.
- DriveSwitch – Peripheral malware executing the main implant.
- SilentRaid (also known as MystRodX) – Main implant, establishes persistent access and communicates with its command-and-control server (C2) and carries out tasks.
It also uses Windows-based implants such as RedLeaves, a malware family attributed to APT10 (or Cicada, MenuPass, POTASSIUM, Purple Typhoon), and ShadowPad, usually employed by Chinese threat actors.
Initial access vectors that leverage one-day flaws in popular edge networking products and target-specific SSH brute force are followed by the installation of backdoors that allow the threat actor to exfiltrate sensitive data and maintain a long-term foothold within compromised networks.
UAT-7290 also establishes Operational Relay Box (ORBs) nodes. “The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage-motivated threat actor as well as an initial access group,” the report said.
Another observed implant is Bulbature, first disclosed by Sekoia in 2024, which converts compromised devices into ORBs.
Implications for South Asia Cybersecurity
The activities of UAT-7290 could have cascading effects, impacting government, military, and civilian communications.
Security organizations in these regions are advised to heighten their defensive posture, audit network perimeters for signs of intrusion, and implement advanced threat detection measures to counter this evolving espionage campaign.
In other recent news, the Chinese hacking group Salt Typhoon allegedly hacked the U.S. House Staff's emails. Another recent campaign targeting Asia was seen in December, as the Panda APT poisoned DNS requests and delivered MgBot.
Last month, the China-linked Ink Dragon APT expanded its cyberespionage campaign to European government networks.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular