{ "id": "1ca080c3-6e3e-4eb1-b515-ccb9af13d4b6", "created_at": "2026-04-06T00:19:14.865171Z", "updated_at": "2026-04-10T03:33:46.075902Z", "deleted_at": null, "sha1_hash": "89061abc87b6e8a83a257c110ccd0d73e3c3832f", "title": "UAT-7290 targets high value telecommunications infrastructure in South Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 143566, "plain_text": "UAT-7290 targets high value telecommunications infrastructure in\r\nSouth Asia\r\nBy Asheer Malhotra\r\nPublished: 2026-01-08 · Archived: 2026-04-05 15:27:27 UTC\r\nThursday, January 8, 2026 06:00\r\nCisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at\r\nleast 2022.\r\nUAT-7290 is tasked with gaining initial access as well as conducting espionage focused intrusions against\r\ncritical infrastructure entities in South Asia.\r\nUAT-7290's arsenal includes a malware family consisting of implants we call RushDrop, DriveSwitch, and\r\nSilentRaid.\r\nOur findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations\r\nbefore carrying out intrusions.\r\nTalos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of\r\nAdvanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South\r\nAsia. However, in recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe.\r\nIn addition to conducting espionage focused attacks where UAT-7290 burrows deep inside a victim enterprise’s\r\nnetwork infrastructure, their tactics, techniques and procedures (TTPs) and tooling suggests that this actor also\r\nestablishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus\r\nactors in their malicious operations, signifying UAT-7290's dual role as an espionage motivated threat actor as\r\nwell as an initial access group.\r\nActive since at least 2022, UAT-7290 has an expansive arsenal of tooling, including open-source malware, custom\r\ndeveloped malware, and payloads for 1-day vulnerabilities in popular edge networking products. UAT-7290\r\nprimarily leverages a Linux based malware suite but may also utilize Windows based bespoke implants such as\r\nRedLeaves or Shadowpad commonly linked to China-nexus threat actors.\r\nOur findings suggest that the threat actor conducts extensive reconnaissance of target organizations before\r\ncarrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise\r\npublic facing edge devices to gain initial access and escalate privileges on compromised systems. The actor\r\nappears to rely on publicly available proof-of-concept exploit code as opposed to developing their own.\r\nUAT-7290 shares overlapping TTPs with known China-nexus adversaries, including the exploitation of high-profile vulnerabilities in networking devices, use of open-source web shells for persistence, leveraging UDP\r\nlisteners, and using compromised infrastructure to facilitate operations.\r\nhttps://blog.talosintelligence.com/uat-7290/\r\nPage 1 of 6\n\nSpecifically, we have observed technical indicators that overlap with RedLeaves, a malware family attributed to\r\nAPT10 (a.k.a. MenuPass, POTASSIUM and Purple Typhoon), as well as infrastructure associated with\r\nShadowPad, a malware family used by a variety of China-nexus adversaries.\r\nAdditionally, UAT-7290 shares a significant amount of overlap in victimology, infrastructure, and tooling with a\r\ngroup publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot\r\nto Chinese People’s Liberation Army (PLA) Unit 69010.\r\nUAT-7290's malware arsenal for edge devices\r\nTalos currently tracks the Linux-based malware families associated with UAT-7290 in this intrusion as:\r\nRushDrop – The dropper that kickstarts the infection chain. RushDrop is also known as ChronosRAT.\r\nDriveSwitch – A peripheral malware used to execute the main implant on the infected system.\r\nSilentRaid – The main implant in the intrusion meant to establish persistent access to compromised\r\nendpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the\r\nmalware. SilentRaid is also known as MystRodX.\r\nAnother malware implanted on compromised devices by UAT-7290 is Bulbature. Bulbature, first disclosed by\r\nSekoia in late 2024, is an implant that is used to convert compromised devices into ORBs.\r\nRushDrop and DriveSwitch\r\nRushDrop is a malware dropper that consists of three binaries encoded and embedded within it. RushDrop first\r\nmakes rudimentary checks to ensure it is running on a legitimate system instead of a sandbox.\r\nFigure 1. RushDrop deleting itself if VM checks fail.\r\nThen it either checks for the existence of, or creates a folder called “.pkgdb” in the current working directory of\r\nthe dropper. RushDrop then decodes and drops three binaries to the “.pkgdb” folder:\r\n“daytime” - A malware family that simply executes a file called “chargen” from the current working\r\ndirectory. This executor is being tracked as DriveSwitch.\r\n“chargen” - The central implant of the infection chain, tracked as SilentRaid. SilentRaid communicates\r\nwith its C2 server, usually in the form of a domain and can carry out action as instructed by the C2.\r\n“busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the\r\nsystem. \r\nhttps://blog.talosintelligence.com/uat-7290/\r\nPage 2 of 6\n\nFigure 2. RushDrop setting up files on disk.\r\n DriveSwitch simply executes the SilentRaid malware on the system.\r\nFigure 3. DriveSwitch executing SilentRaid.\r\nSilentRaid: The multifunctional malware\r\nSilentRaid is a malware written in C++ and consists of multiple functionalities, written in the form of “plugins”\r\nembedded in the malware. On execution, it does certain rudimentary anti-VM and analysis checks to ensure it\r\nisn’t running in a sandbox. Then the malware simply initializes its “plugins” and contacts the C2 server for\r\ninstructions to carry out malicious tasks on the infected endpoint. The plugins are built in functionalities, but\r\nmodular enough to enable the threat actor to stitch together a combination of them during compilation.\r\nPlugin: my_socks_mgr\r\nThis plugin handles communication to C2 server. It obtains the C2 IP by resolving a domain using “8[.]8[.]8[.]8”\r\nand passes commands received from the C2 to the appropriate plugin.\r\nPlugin:my_rsh\r\nThis plugin opens a remote shell by executing “sh” either via either “busybox” or “/bin/sh”. This remote shell is\r\nthen used to run arbitrary commands on the infected system.\r\nhttps://blog.talosintelligence.com/uat-7290/\r\nPage 3 of 6\n\nPlugin:port_fwd_mgr\r\nThis plugin sets up port forwarding between ports specified — a local port and a port on a remote server. It can\r\nalso set up port forwarding across multiple ports.\r\nPlugin:my_file_mgr\r\nThis is the file manager of the backdoor. It allows the SilentRaid to:\r\nRead contents of “/etc/passwd”\r\nExecute a specified file on the system\r\nArchive directories specified by the C2 using “tar -cvf” - executed via busybox\r\nCheck if a file is accessible\r\nRemove a file or directory using the “rm” command - via busybox\r\nRead/write a specified file\r\nSilentRaid can also parse thru x509 certificates and collect attribute information such as:\r\nid-at-dnQualifier | Distinguished Name qualifier\r\nid-at-pseudonym | Pseudonym\r\nhttps://blog.talosintelligence.com/uat-7290/\r\nPage 4 of 6\n\nid-domainComponent | Domain component\r\nid-at-uniqueIdentifier | Unique Identifier\r\nBulbature\r\nThe Bulbature malware discovered consisted of the same string encoding scheme as the other UAT-7290's\r\nmalware illustrated earlier. Usually UPX compressed, Bulbature can bind to and listen to either a random port of\r\nits choosing or one specified via command line via the “-d \u003cport_number\u003e” switch.\r\nBulbature obtains the local network interface’s name by executing the command:\r\ncat /proc/net/route | awk '{print $1,$2}' | awk '/00000000/ {print $1}'\r\nIt also obtains basic system information and the current user using the command:\r\necho $(whoami) $(uname -nrm)\r\nThe malware typically records its C2 address in a config file in the /tmp directory. The file will have the same\r\nname as the malware binary with the “.cfg” extension appended to it. The C2 address may be an encoded string.\r\nBulbature can obtain additional or new C2 addresses from the current C2 and can switch over communications\r\nwith them instead. The malware can open up a reverse shell with its C2 to execute arbitrary commands on the\r\ninfected system.\r\nA recent variant of Bulbature contained an embedded self-signed certificate that it used for communicating with\r\nthe C2. This certificate matches the one from the sample disclosed by Sekoia as well:\r\n509 Certificate:\r\nVersion: 3\r\nSerial Number: 81bab2934ee32534\r\nSignature Algorithm:\r\n Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA\r\n Algorithm Parameters:\r\n 05 00\r\nIssuer:\r\n O=Internet Widgits Pty Ltd\r\n S=Some-State\r\n C=AU\r\n Name Hash(sha1): d398f76c7ba0bbf79b1cac0620cdf4b42e505195\r\n Name Hash(md5): 4a963519b4950845a8d76668d4d7dd29\r\nNotBefore: 8/8/2019 3:33 AM\r\nNotAfter: 12/24/2046 3:33 AM\r\nSubject:\r\nhttps://blog.talosintelligence.com/uat-7290/\r\nPage 5 of 6\n\nO=Internet Widgits Pty Ltd\r\nS=Some-State\r\n C=AU\r\n Name Hash(sha1): d398f76c7ba0bbf79b1cac0620cdf4b42e505195\r\n Name Hash(md5): 4a963519b4950845a8d76668d4d7dd29\r\nCert Hash(sha256): 918fb8af4998393f5195bafaead7c9ba28d8f9fb0853d5c2d75f10e35be8015a\r\nCensys data shows that this certificate, with the exact Serial number, is present on at least 141 hosts, all either\r\nlocated in China or Hong Kong. On Virus Total, many of the IPs identified hosting this certificate are associated\r\nwith other malware typically associated with China-nexus of threat actors such as SuperShell, GobRAT, Cobalt\r\nStrike, etc.\r\nCoverage\r\nThe following ClamAV signatures detect and block this threat:\r\nUnix.Dropper.Agent\r\nUnix.Malware.Agent\r\nUnix.Packed.Agent\r\nThe following Snort Rule (SIDs) detects and blocks this threat: 65124\r\nIOCs\r\n723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200\r\n59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596\r\n961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d\r\nSource: https://blog.talosintelligence.com/uat-7290/\r\nhttps://blog.talosintelligence.com/uat-7290/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/uat-7290/" ], "report_names": [ "uat-7290" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434754, "ts_updated_at": 1775792026, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89061abc87b6e8a83a257c110ccd0d73e3c3832f.pdf", "text": "https://archive.orkl.eu/89061abc87b6e8a83a257c110ccd0d73e3c3832f.txt", "img": "https://archive.orkl.eu/89061abc87b6e8a83a257c110ccd0d73e3c3832f.jpg" } }