top of page
perceptive_background_267k.jpg

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

Published:

8 januari 2026 om 14:54:00

Alert date:

8 januari 2026 om 16:02:48

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Critical Infrastructure, Network Infrastructure, Data Breach & Exfiltration

China-linked threat actor UAT-7290 has been conducting espionage operations against telecommunications companies in South Asia and Southeastern Europe since at least 2022. The campaign involves extensive technical reconnaissance before deploying malware families including RushDrop and utilizing ORB nodes. The threat actor primarily targets telecom infrastructure with Linux-based malware for intelligence gathering purposes.

Technical details

UAT-7290 is a China-nexus threat actor active since 2022 conducting espionage-focused intrusions primarily against South Asian and Southeastern European telecommunications providers. The group deploys a Linux-based malware suite including RushDrop (ChronosRAT) dropper, DriveSwitch peripheral malware, and SilentRaid (MystRodX) C++-based implant. SilentRaid provides persistent access through plugin-like communication, remote shell, port forwarding, and file operations. The group also uses Windows implants RedLeaves (BUGJUICE) and ShadowPad. UAT-7290 establishes Operational Relay Box (ORBs) nodes using Bulbature backdoor to transform compromised edge devices. The actor conducts extensive reconnaissance, uses 1-day exploits and SSH brute force attacks for initial access, and relies on publicly available proof-of-concept exploit code.

Mitigation steps:

Organizations, particularly telecommunications providers in South Asia and Southeastern Europe, should monitor for signs of the identified malware families, implement strong SSH security controls to prevent brute force attacks, apply security patches promptly to edge networking devices to prevent 1-day exploit usage, conduct network monitoring for unusual traffic patterns that may indicate ORB node establishment, and implement comprehensive endpoint detection and response solutions to identify Linux and Windows-based implants.

Affected products:

Edge networking products
Linux systems
Windows systems
Telecommunications infrastructure

Related links:

https://blog.talosintelligence.com/uat-7290/
https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves
https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html
https://thehackernews.com/2025/08/cl-sta-0969-installs-covert-malware-in.html
https://thehackernews.com/2025/09/researchers-warn-of-mystrodx-backdoor.html
https://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html
https://thehackernews.com/2024/07/chinese-hackers-target-japanese-firms.html
https://thehackernews.com/2024/06/chinese-cyber-espionage-targets-telecom.html

Related CVE's:

Related threat actors:

IOC's:

RushDrop malware, ChronosRAT malware, DriveSwitch malware, SilentRaid malware, MystRodX malware, RedLeaves malware, BUGJUICE malware, ShadowPad malware, Bulbature backdoor

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page