New China-linked hackers breach telcos using edge device exploits

Published:

8 januari 2026 om 23:39:12

Alert date:

9 januari 2026 om 01:02:08

Source:

bleepingcomputer.com

Network Infrastructure, Ransomware & Malware, Critical Infrastructure, Data Breach & Exfiltration

A sophisticated China-linked threat actor has expanded operations to target telecommunications providers in Southeastern Europe using Linux-based malware. The attackers exploit vulnerabilities in edge devices to breach telecom infrastructure. This represents a broadening of the threat actor's geographic focus and operational scope. The campaign demonstrates advanced capabilities targeting critical telecommunications infrastructure. The use of edge device exploits suggests sophisticated understanding of telecom network architecture.

Technical details

UAT-7290 threat actor uses Linux-based malware suite including RushDrop/ChronosRAT (initial dropper with anti-VM checks), DriveSwitch (executor component), SilentRaid/MystRodX (main C++ persistent implant with plugin architecture), and Bulbature (UPX-packed implant for creating Operational Relay Boxes). They leverage one-day exploits and SSH brute force attacks against edge network devices. The group establishes ORB infrastructure used by other China-aligned actors. SilentRaid supports remote shell access, port forwarding, file operations, directory archiving, and certificate collection. Bulbature uses self-signed TLS certificates found on 141 China/Hong Kong hosts associated with SuperShell, GobRAT, and Cobalt Strike.

Mitigation steps:

Organizations should use the indicators of compromise provided in the Cisco Talos report to defend against this threat actor. Monitor for the specific malware families and their associated behaviors including hidden directory creation, suspicious binary execution, and network connections to identified malicious IPs.

Affected products:

Edge network devices
Linux systems
Windows systems