top of page
Search

China-Linked UAT-7290 Targets Telecom Networks Across Asia and Europe

  • Jan 9
  • 2 min read

Key Findings


  • China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe

  • UAT-7290 primarily targets telecom providers, conducting espionage by deeply embedding in victim networks and operating Operational Relay Box (ORB) infrastructure

  • The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices

  • Attacks are preceded by extensive reconnaissance and rely on PoC exploits and SSH brute force

  • UAT-7290's TTPs, infrastructure, and victimology overlap with known China-aligned groups such as APT10 and Red Foxtrot, linked to PLA Unit 69010


Background


China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe. UAT-7290 primarily targets telecom providers, conducting espionage by deeply embedding in victim networks and also operating Operational Relay Box (ORB) infrastructure that is later reused by other China-nexus actors, suggesting a dual role as both espionage and initial-access provider.


Toolset and Tactics


The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices. It favors Linux malware but also deploys Windows implants like RedLeaves and ShadowPad. Attacks are preceded by extensive reconnaissance and rely on PoC exploits and SSH brute force.


Overlap with Known Groups


UAT-7290's TTPs, infrastructure, and victimology overlap with known China-aligned groups such as APT10 and Red Foxtrot, which have been linked to PLA Unit 69010.


Malware Families


The Linux-based malware families associated with UAT-7290 include:


  • RushDrop (aka ChronosRAT) - The dropper that kickstarts the infection chain

  • DriveSwitch - A peripheral malware used to execute the main implant

  • SilentRaid (aka MystRodX) - The main implant that establishes persistent access


Another implant used by UAT-7290 is Bulbature, which converts compromised devices into ORBs.


Conclusion


China-linked UAT-7290 has conducted extensive espionage campaigns targeting telecom providers in South Asia and Southeastern Europe since 2022. The threat actor employs a diverse toolset and tactics, showcasing overlaps with other well-known China-aligned groups.


Sources


  • https://securityaffairs.com/186698/security/china-linked-uat-7290-spies-on-telco-in-south-asia-and-europe-using-modular-malware.html

  • https://thehackernews.com/2026/01/china-linked-uat-7290-targets-telecoms.html

  • https://www.infosecurity-magazine.com/news/china-uat-7290-targets-telecoms/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page