Known as China-Nexus Threat Actor UAT-7290 It has been held responsible for espionage-focused infiltration against entities in South Asia and Southeastern Europe.
According to a Cisco Talos report published today, the activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before launching attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRed.
Researchers Ashir Malhotra, Vitor Ventura and Brandon White said, “In addition to carrying out espionage-focused attacks, where UAT-7290 penetrates deep inside a victim enterprise’s network infrastructure, their tactics, techniques and procedures (TTP) and tooling suggest that this actor also installs Operational Relay Box (ORB) nodes.”
“The ORB infrastructure can be used by other China-Nexus actors in their malicious operations, reflecting UAT-7290’s dual role as an espionage-driven threat actor as well as an early access group.”
Attacks by adversaries have primarily targeted telecommunications providers in South Asia. However, recent waves of infiltration have increased to attack organizations in Southeastern Europe.
UAT-7290’s tradecraft is as broad as it is diverse, relying on a combination of open-source malware, custom tooling, and payloads to one-day exploit vulnerabilities in popular edge networking products. Some notable Windows implosions used by threat actors include RedLeaves (aka BugJuice) and ShadowPad, both of which have been particularly linked to Chinese hacking groups.
As stated, the group primarily leverages Linux-based malware suites that include –
- RushDrop (aka ChronosRAT), a dropper that starts infection chains
- DriveSwitch, a peripheral malware used to execute SilentRed on infected systems
- SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access to compromised endpoints and employs a plugin-like approach to communicate with external servers, open remote shells, set up port forwarding, and perform file operations.
It is worth noting that a prior analysis by QiAnXin Palo Alto Networks Unit 42 is tracking a related threat cluster under the alias CL-STA-0969.
A backdoor called Bulbetcher has also been deployed by UAT-7290 that is engineered to turn a compromised edge device into ORBs. It was first documented by Sequoia in October 2024.
The threat actor shares tactics and infrastructure with China-linked adversaries known as Stone Panda and Redfoxtrot (aka Nomad Panda), the cybersecurity company said.
“The threat actor conducts extensive reconnaissance of target organizations before executing the intrusion. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on the compromised system,” the researchers said. “It appears that the actors rely on publicly available proof-of-concept exploit code rather than developing their own.”
