China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes - The Hacker News

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes Ravie LakshmananJan 08, 2026Malware / Threat Intelligence A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid, according to a Cisco Talos report published today. "In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes," researchers Asheer Malhotra, Vitor Ventura, and Brandon White said. "The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage-motivated threat actor as well as an initial access group." Attacks mounted by the adversary have mainly targeted telecommunications providers in South Asia. However, recent intrusion waves have branched out to strike organizations in Southeastern Europe. UAT-7290's tradecraft is broad as it's varied, relying on a combination of open-source malware, custom tooling, and payloads for one-day vulnerabilities in popular edge networking products. Some of the notable Windows implants put to use by the threat actor include RedLeaves (aka BUGJUICE) and ShadowPad, both exclusively linked to Chinese hacking groups. That said, the group mainly leverages a Linux-based malware suite comprising - RushDrop (aka ChronosRAT), a dropper that initiates the infection chain DriveSwitch, a peripheral malware that's used to execute SilentRaid on the infected system SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access to compromised endpoints and employs a plugin-like approach to communicate with an external server, open a remote shell, set up port forwarding, and perform file operations It's worth noting that a prior analysis from QiAnXin XLab flagged MystRodX as a variant of ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy. Palo Alto Networks Unit 42 is tracking the associated threat cluster under the moniker CL-STA-0969. Also deployed by UAT-7290 is a backdoor called Bulbature that's engineered to transform a compromised edge device into an ORBs. It was first documented by Sekoia in October 2024. The cybersecurity company said the threat actor shares tactical and infrastructure overlaps with China-linked adversaries known as Stone Panda and RedFoxtrot (aka Nomad Panda). "The threat actor conducts extensive reconnaissance of target organizations before carrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems," the researchers said. "The actor appears to rely on publicly available proof-of-concept exploit code as opposed to developing their own." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threats, cyber espionage, cybersecurity, linux, Malware, network security, Threat Intelligence, Vulnerability Trending News Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Load More ▼ Popular Resources Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing