For more than two years, a little-noticed cluster of Linux-based malware has quietly moved through the infrastructure of telecommunications providers, leaving behind relay points that other attackers could later reuse. New technical details from Cisco Talos now shed light on the tools, tactics, and geographic reach of a threat actor it tracks as UAT-7290.
A Threat Actor in the Background of Global Networks
A sophisticated cyber-espionage actor tracked by Cisco Talos as UAT-7290 has been operating since at least 2022, targeting telecommunications providers with a focus on South Asia. According to Talos researchers, the group shows strong indicators of a China nexus and has recently expanded its activity to include organizations in Southeastern Europe.
Rather than conducting loud or destructive intrusions, the actor’s operations appear methodical and infrastructure-oriented. UAT-7290 is assessed to function not only as an espionage actor in its own right, but also as an initial access provider, establishing footholds that can later be leveraged by other China-aligned threat groups.
This role is reinforced by the group’s repeated use of compromised systems as Operational Relay Boxes, or ORBs — intermediary nodes that obscure the origin of subsequent malicious traffic and complicate attribution.
Reconnaissance and Initial Access at the Network Edge
Cisco Talos researchers describe a pattern of extensive reconnaissance preceding breaches. The group targets public-facing edge network devices, exploiting known vulnerabilities and misconfigurations rather than relying on novel zero-day flaws.
According to the report, UAT-7290 leverages one-day exploits — attacks that take advantage of recently disclosed vulnerabilities — alongside target-specific SSH brute-force activity. These techniques allow the attackers to gain initial access and then escalate privileges on compromised systems, particularly within telecom environments where exposed edge devices are common.
The approach reflects a broader trend in state-aligned cyber operations: exploiting the lag between vulnerability disclosure and patch deployment, especially in complex or legacy network infrastructure.
Inside the UAT-7290 Malware Arsenal
Once access is established, UAT-7290 deploys a predominantly Linux-based malware suite. Cisco Talos notes occasional use of Windows implants such as RedLeaves and ShadowPad, both of which are widely shared across multiple China-nexus actors, but the core toolset is Linux-focused.
Among the malware families linked to the group is RushDrop, also known as ChronosRAT. RushDrop serves as the initial dropper, performing basic anti-virtual-machine checks and creating or verifying a hidden “.pkgdb” directory. It then decodes and deploys three embedded binaries: daytime, a DriveSwitch executor; chargen, the SilentRaid implant; and busybox, a legitimate Linux utility repurposed for command execution.
DriveSwitch functions primarily as a loader, executing SilentRaid on compromised systems. SilentRaid, also tracked as MystRodX, is the main persistent implant. Written in C++ and built around a plugin-based architecture, it supports remote shell access, port forwarding, file operations, directory archiving using tar, access to /etc/passwd, and the collection of X.509 certificate attributes. The malware resolves its command-and-control domain through Google’s public DNS resolver and performs basic anti-analysis checks.
Another key component is Bulbature, a UPX-packed Linux implant previously documented by Sekoia. Bulbature is used to convert compromised devices into ORBs. It listens on configurable ports, opens reverse shells, stores command-and-control configuration files in /tmp/*.cfg, supports C2 rotation, and relies on a self-signed TLS certificate.
Shared Infrastructure and a Wider Ecosystem
Cisco Talos found the same Bulbature TLS certificate on 141 hosts based in China and Hong Kong. The IP addresses associated with these hosts have also been linked to other malware families, including SuperShell, GobRAT, and Cobalt Strike beacons, suggesting a shared or overlapping infrastructure ecosystem.
This reuse of certificates and hosting resources underscores how UAT-7290’s operations intersect with a broader constellation of China-aligned cyber activity. By establishing relay infrastructure that can be repurposed, the group effectively lowers the barrier for follow-on operations by other actors.
