China-Nexus Actor UAT-7290 Linked to Espionage Operations
A sophisticated threat actor, identified as UAT-7290 and believed to operate with ties to China, has been implicated in espionage-focused cyber intrusions targeting organizations across South Asia and Southeastern Europe. The activity cluster, active since at least 2022, meticulously gathers extensive technical intelligence on potential victims before deploying a suite of malware, including familiar families like RushDrop, DriveSwitch, and SilentRaid, according to a recent report from Cisco Talos.
The actor’s operations are characterized by deep dives into victim networks, aiming for sustained espionage. Researchers suggest UAT-7290 also establishes Operational Relay Box (ORB) nodes. This infrastructure may then be utilized by other China-nexus threat groups, positioning UAT-7290 as both an espionage-motivated actor and an initial access provider for broader cyber campaigns. This dual role highlights the intricate nature of modern cyber threat landscapes.
Extensive Reconnaissance and Broad Toolset
UAT-7290’s modus operandi involves a comprehensive reconnaissance phase prior to launching attacks. This extensive technical probing allows the actor to understand target environments thoroughly before initiating any intrusion. The actor’s tradecraft is notable for its diversity, incorporating open-source malware, custom-developed tools, and payloads designed to exploit one-day vulnerabilities in prevalent edge networking products.
The group’s arsenal includes well-known Windows implants that have been exclusively linked to Chinese hacking entities, such as RedLeaves (also known as BUGJUICE) and ShadowPad. However, a significant portion of their operations relies on a Linux-based malware suite. This suite includes RushDrop, a dropper that initiates the infection chain; DriveSwitch, a peripheral malware used to execute other malicious payloads; and SilentRaid, a C++-based implant designed for persistent access. SilentRaid allows for remote shell access, file operations, and plugin-like communication with external command-and-control servers.
Linux Malware and ORB Infrastructure
The Linux-based malware suite employed by UAT-7290 is central to its operational capabilities. RushDrop acts as the initial entry point, setting the stage for subsequent infections. DriveSwitch then facilitates the deployment of SilentRaid, which establishes a foothold within compromised systems. SilentRaid’s modular design enables the threat actor to perform various actions remotely after gaining persistent access.
Further analysis of SilentRaid suggests it may be a variant of ChronosRAT, a modular ELF binary capable of a wide range of functions including shellcode execution, file management, keylogging, and proxy capabilities. Cybersecurity firms are tracking the activity cluster associated with these tools under different monikers, indicating a coordinated effort in understanding and mitigating these threats. Additionally, UAT-7290 utilizes a backdoor known as Bulbature, which is specifically designed to convert compromised edge devices into ORB nodes. The emergence of Bulbature, documented in late 2024, underscores the evolving tactics of the group.
Tactical Overlaps and Initial Access Strategies
Researchers have identified significant tactical and infrastructure overlaps between UAT-7290 and other China-linked adversary groups, namely Stone Panda and RedFoxtrot. This suggests a potential coordination or shared resources among these entities. The threat actor’s reliance on publicly available proof-of-concept exploit code, rather than developing proprietary exploits, points to an efficient and resource-conscious approach to cyber intrusions.
UAT-7290’s primary method for gaining initial access involves compromising public-facing edge devices. This is achieved through a combination of exploiting known vulnerabilities and target-specific SSH brute-force attacks. Once initial access is secured, the actor focuses on escalating privileges within the compromised network infrastructure. The establishment of ORB nodes through tools like Bulbature further indicates a strategic intent to maintain anonymity and facilitate broader malicious operations, not just for themselves but potentially for other allied threat actors.
Future Outlook and Monitoring
The attribution of these espionage activities to UAT-7290, with suspected ties to China, emphasizes the ongoing threat posed by state-sponsored or state-aligned cyber espionage groups. The actor’s consistent targeting of telecommunications entities and expansion into new geographical regions like Southeastern Europe warrant continued vigilance from cybersecurity professionals.
The ongoing analysis of UAT-7290’s toolkit and tactics, particularly the use of Linux-based malware and the establishment of ORB infrastructure, will be crucial for developing effective defenses. Future efforts will likely focus on improved detection mechanisms for these specific malware families and enhanced monitoring of edge device security to prevent initial access. The potential for shared infrastructure and tactics with other known China-nexus groups also necessitates broad threat intelligence sharing.