A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe.

Tracked internally by Cisco Talos as UAT-7290, the actor shows strong China nexus indicators and typically focuses on telcos in South Asia in cyber-espionage operations.

Active since at least 2022, the UAT-7290 group also serves as an initial access group by establishing an Operational Relay Box (ORB) infrastructure during the attacks, which is then utilized by other China-aligned threat actors.

According to the researchers, the hackers conduct extensive reconnaissance before a breach and deploy a mix of custom and open-source malware and public exploits for known flaws in edge network devices.

“UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems,” Cisco Talos says in a report today.

UAT-7290 arsenal

UAT-7290 primarily uses a Linux-based malware suite, with occasional deployments of Windows implants such as RedLeaves and ShadowPad, which are widely shared among multiple China-nexus actors.

Cisco highlights the following Linux malware families, linking them to UAT-7290:

• RushDrop (ChronosRAT) – Initial dropper that begins the infection chain. Performs basic anti-VM checks, creates or verifies a hidden .pkgdb directory, and decodes three binaries embedded inside: daytime (DriveSwitch executor), chargen (the SilentRaid implant), and busybox, a legitimate Linux utility abused for command execution.
• DriveSwitch – Peripheral component dropped by RushDrop with the primary function to execute the SilentRaid implant on the compromised system.
• SilentRaid (MystRodX) – The main persistent implant, written in C++ and built around a plugin-based design. It performs basic anti-analysis checks, resolves its C2 domain using Google’s public DNS resolver; supports remote shell access, port forwarding, file operations, directory archiving with tar, access to /etc/passwd, and collection of X.509 certificate attributes.
• Bulbature – A Linux-based UPX-packed implant previously documented by Sekoia, used to convert compromised devices into Operational Relay Boxes (ORBs). It listens on configurable ports, opens reverse shells, and stores C2 configuration in /tmp/*.cfg, supports C2 rotation, and uses a self-signed TLS certificate.

The Bulbature TLS certificate, which is the same as the one Sekoia documented previously, is found on 141 China- and Hong Kong-based hosts, whose IPs have been associated with other malware families such as SuperShell, GobRAT, and Cobalt Strike beacons.

Cisco Talos’ report provides technical details about the malware used by UAT-7290, along with a list of indicators of compromise to help organizations defend against this threat actor.