Shadow Over the Wires: Inside UAT-7290’s Stealthy Siege on Global Telecoms

In the dim corners of the cyber underworld, a new player has emerged with a toolkit as cunning as it is effective. UAT-7290, a suspected China-backed hacking collective, has been quietly weaving its web through the world’s telecom networks, leaving a trail of digital fingerprints that reveal both espionage ambitions and a knack for enabling further cyberattacks. Their methods are surgical, their malware custom-crafted, and their targets - telecommunications giants - are the backbone of global connectivity.

Fast Facts

• UAT-7290 is a China-linked threat actor active since at least 2022.
• Primary targets include telecommunications providers in South Asia and, more recently, Southeastern Europe.
• The group utilizes a suite of Linux-based malware - RushDrop, DriveSwitch, and SilentRaid - to gain and maintain access to networks.
• Compromised devices are transformed into Operational Relay Boxes (ORBs), serving both espionage and broader cyber-attack functions.
• UAT-7290 shares tactics and infrastructure with notorious Chinese hacking groups like Stone Panda and RedFoxtrot.

Deep Dive: Anatomy of a Cyber Siege

UAT-7290’s operations start with meticulous reconnaissance. Before launching any intrusion, the group maps out victims’ networks, seeking weak points, often exploiting so-called “one-day” vulnerabilities - flaws that have recently been disclosed but not yet widely patched. Their initial access techniques include brute-forcing SSH credentials and leveraging public proof-of-concept exploit code, sidestepping the need for original exploit development.

Once inside, UAT-7290 deploys a unique Linux malware suite. The infection usually begins with RushDrop (also known as ChronosRAT), a dropper that sets the stage for further compromise. Next comes DriveSwitch, a peripheral malware that delivers SilentRaid - a sophisticated implant capable of persistent access, remote shell operations, port forwarding, and file manipulation. These tools allow attackers to burrow deep into critical infrastructure, often remaining undetected for extended periods.

But the group’s ambitions don’t end at espionage. UAT-7290 is also notable for transforming compromised systems into Operational Relay Boxes (ORBs). These ORBs act as secret communication hubs, relaying commands and stolen data not just for UAT-7290, but potentially for other China-aligned cyber actors. The backdoor known as Bulbature, first exposed in late 2024, is engineered specifically for this purpose - turning edge devices into launchpads for further attacks.

What makes UAT-7290 particularly dangerous is its adaptability. The group blends open-source malware with custom tools and borrows tactics from infamous collectives such as Stone Panda and RedFoxtrot. This hybrid approach makes attribution challenging and defense even harder, as their operations evolve with each campaign.

The Stakes: Telecoms at the Crosshairs

Telecommunications networks are the arteries of modern society, and compromises here ripple far beyond individual organizations. By embedding themselves into these systems, UAT-7290 not only harvests intelligence but also opens doors for future attacks - potentially impacting millions of users. As the cyber threat landscape grows more complex, the shadowy work of groups like UAT-7290 underscores the urgent need for vigilance, rapid patching, and global cooperation in defense.

WIKICROOK

• Dropper: A dropper is a type of malware that secretly installs additional malicious programs on an infected device, helping attackers bypass security measures.
• Operational Relay Box (ORB): An Operational Relay Box (ORB) is a hacked device used by cybercriminals to secretly relay commands and data, masking their true identity and location.
• One: One-time permissions grant websites or apps temporary access to features like your camera or location, automatically revoking access when you leave.
• SSH Brute Force: SSH brute force is an attack where hackers try many login combinations to access systems via SSH. Strong passwords and security measures help prevent it.
• Persistent Access: Persistent access is when attackers set up ways to keep control of a system, even if their original entry point is found and closed.