Overview
- Talos assesses with high confidence that UAT-7290 is a China-nexus threat actor conducting espionage against critical infrastructure since at least 2022.
- The group focuses on South Asian telecommunications providers and recently broadened operations into Southeastern Europe.
- UAT-7290 primarily employs a Linux malware suite—RushDrop, DriveSwitch, and SilentRaid (MystRodX)—while using Bulbature to convert compromised devices into Operational Relay Boxes potentially leveraged by other China-linked operators.
- Initial access commonly comes via one-day exploits against public-facing edge devices and targeted SSH brute-force, with reliance on publicly available proof-of-concept code rather than bespoke zero-days.
- Researchers highlight overlaps with RedLeaves/APT10, ShadowPad infrastructure, and Recorded Future’s Red Foxtrot linked to PLA Unit 69010, and note a Bulbature TLS certificate seen on at least 141 China or Hong Kong hosts associated with other China-nexus malware; Talos provides technical details, IOCs, and detection signatures.