**
China-Linked UAT-7290 Spies on Telcos in South Asia and Europe Using Modular Malware
**A sophisticated cyber espionage campaign has been uncovered, targeting telecom providers in South Asia and Southeastern Europe. The attack, attributed to the China-linked threat actor UAT-7290, involves a complex arsenal of modular malware, exploiting vulnerabilities in edge networking devices and compromising Linux and Windows systems.
According to research, UAT-7290 has been conducting espionage attacks since at least 2022, primarily targeting telecom providers. The attackers use a broad toolset, including open-source tools, custom malware, and zero-day exploits against edge networking devices, favoring Linux malware but also deploying Windows implants like RedLeaves and ShadowPad.
What sets UAT-7290 apart is its dual role as both an espionage threat actor and an initial-access provider. The attackers operate Operational Relay Box (ORB) infrastructure, which is later reused by other China-nexus actors. This suggests a high level of coordination and cooperation between different groups, potentially linked to the Chinese government.
The attack chain begins with RushDrop, a dropper that checks for sandboxes and creates a hidden folder to deploy three components: DriveSwitch, SilentRaid, and a legitimate BusyBox utility. The role of DriveSwitch is to launch SilentRaid, the main backdoor, which is modular malware that contacts a command-and-control server and executes tasks through built-in plugins.
These plugins enable remote shells, file access, port forwarding, command execution, and data collection, including system files and certificate details. Another tool, Bulbature, provides additional backdoor capabilities, gathers system info, manages multiple C2 addresses, and opens reverse shells. Notably, Bulbature uses hardcoded or encoded C2 data and, in recent versions, a self-signed certificate linked to infrastructure in China and Hong Kong.
The research highlights significant overlap between UAT-7290's TTPs (Tactics, Techniques, and Procedures), infrastructure, and victimology with known China-aligned groups such as APT10 and Red Foxtrot, which are linked to PLA Unit 69010. This suggests a strong connection between the attackers and the Chinese government.
Indicators of compromise (IoCs) have been included in the report, providing valuable information for security professionals to identify potential threats. The research emphasizes the importance of staying vigilant against sophisticated cyber espionage campaigns, especially those linked to nation-states.
As the cybersecurity landscape continues to evolve, it is essential to monitor and analyze threat actors' tactics, techniques, and procedures to stay ahead of emerging threats. Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates and insights into the world of cybersecurity.
**
Key Findings:
*** UAT-7290 has been conducting espionage attacks since at least 2022, targeting South Asia and Southeastern Europe. * The attackers use a broad toolset, including open-source tools, custom malware, and zero-day exploits against edge networking devices. * UAT-7290 operates Operational Relay Box (ORB) infrastructure, reused by other China-nexus actors. * The attack chain involves RushDrop, DriveSwitch, SilentRaid, and Bulbature, providing backdoor capabilities and data collection. * Significant overlap with APT10, Red Foxtrot, and PLA Unit 69010 suggests a strong connection to the Chinese government.
**
Indicators of Compromise (IoCs):
**[Insert IoCs from report]
Note: The article is rewritten in HTML format for better readability, with paragraphs (
tags) and headings (