U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked UAT-7290 spies on telco in South Asia and Europe using modular malware

China-linked UAT-7290 has targeted South Asia and Southeastern Europe since 2022, conducting espionage and deploying RushDrop, DriveSwitch, and SilentRaid. China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe. UAT-7290 primarily targets telecom providers, it conducts espionage by deeply embedding in victim networks and also operates Operational […]

China-linked APT Salt Typhoon

China-linked UAT-7290 has targeted South Asia and Southeastern Europe since 2022, conducting espionage and deploying RushDrop, DriveSwitch, and SilentRaid.

China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe.

UAT-7290 primarily targets telecom providers, it conducts espionage by deeply embedding in victim networks and also operates Operational Relay Box (ORB) infrastructure later reused by other China-nexus actors, suggesting a dual role as both espionage and initial-access provider.

The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices, favoring Linux malware but also deploying Windows implants like RedLeaves and ShadowPad. Attacks are preceded by extensive reconnaissance and rely on PoC exploits and SSH brute force. Its TTPs, infrastructure, and victimology overlap with known China-aligned groups such as APT10 and Red Foxtrot, linked to PLA Unit 69010.

“Talos currently tracks the Linux-based malware families associated with UAT-7290 in this intrusion as:

  • RushDrop – The dropper that kickstarts the infection chain. RushDrop is also known as ChronosRAT.
  • DriveSwitch – A peripheral malware used to execute the main implant on the infected system.
  • SilentRaid – The main implant in the intrusion meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware. SilentRaid is also known as MystRodX.” reads the report published by Cisco Talos.

“Another malware implanted on compromised devices by UAT-7290 is Bulbature. Bulbature, first disclosed by Sekoia in late 2024, is an implant that is used to convert compromised devices into ORBs.”

The attack chain starts with RushDrop, a dropper that checks for sandboxes and then creates a hidden folder to deploy three components: DriveSwitch, SilentRaid, and a legitimate BusyBox utility.

The role of DriveSwitch is to launch SilentRaid, the main backdoor. SilentRaid is modular malware that contacts a command-and-control server and executes tasks through built-in plugins. These plugins enable remote shells, file access, port forwarding, command execution, and data collection, including system files and certificate details. Another tool, Bulbature, provides additional backdoor capabilities, gathers system info, manages multiple C2 addresses, and opens reverse shells. Bulbature uses hardcoded or encoded C2 data and, in recent versions, a self-signed certificate linked to infrastructure in China and Hong Kong, commonly associated with China-nexus threat actors.

“we have observed technical indicators that overlap with RedLeaves, a malware family attributed to APT10 (a.k.a. MenuPass, POTASSIUM and Purple Typhoon), as well as infrastructure associated with ShadowPad, a malware family used by a variety of China-nexus adversaries.” concludes the report.

“Additionally, UAT-7290 shares a significant amount of overlap in victimology, infrastructure, and tooling with a group publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot to Chinese People’s Liberation Army (PLA) Unit 69010.”

The report includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)