Ddos 
Cisco Talos has pulled the curtain back on UAT-7290, a threat actor operating out of the China-nexus since at least 2022. Specializing in stealth and persistence, this group has been systematically dismantling the networks of critical infrastructure entities, with a particular focus on telecommunications providers in South Asia and, more recently, Southeastern Europe.
The group is not just a spy; it’s a builder of attack highways. According to the report, UAT-7290 plays a dual role: conducting deep-cover espionage and establishing Operational Relay Box (ORB) infrastructure that other hackers can use to route their attacks.
What makes UAT-7290 particularly dangerous is its versatility. While many groups focus solely on data theft or disruption, this actor builds infrastructure for the long haul.
“Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs),” the researchers state.
Beyond their own spying, they act as a quartermaster for other state-aligned groups. “The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290’s dual role as an espionage motivated threat actor as well as an initial access group”.
UAT-7290 doesn’t rely on off-the-shelf tools alone. They deploy a custom-built arsenal designed to infiltrate, persist, and exfiltrate without detection. The report identifies three key implants: RushDrop, DriveSwitch, and SilentRaid.
However, one of their most interesting tools is a backdoor known as Bulbature. This malware is designed for resilience. “Bulbature can obtain additional or new C2 addresses from the current C2 and can switch over communications with them instead,” allowing the attackers to maintain control even if defenders block their primary servers.
The group also employs “extensive technical reconnaissance of target organizations before carrying out intrusions,” ensuring they know exactly where the weak points are before they strike.
While their primary hunting ground has been the telecommunications sector in South Asia, UAT-7290 is on the move. “In recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe,” the report notes, signaling a shift in strategic priorities .
By “burrowing deep inside a victim enterprise’s network infrastructure,” UAT-7290 ensures that once they are in, they are incredibly difficult to dislodge. Security teams in the targeted regions are urged to hunt for the specific indicators associated with this new and formidable threat.
Related Posts:
- Facebook and thousands of companies are spying on you
- China-Nexus APT Exploits Ivanti Connect Secure VPN in Global Cyber Espionage Campaign
- “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
- Unpatched Telecom Flaws (CVSS 9.8) Enable Remote Code Execution: Critical Buffer Overflows Expose Core Infrastructure
Donate