Overview
- The newly published Talos report attributes UAT-7290 to the China nexus with high confidence and notes activity dating back to at least 2022.
- Primary victims are telecommunications providers in South Asia, with recent expansion into Southeastern Europe reported in the latest intrusions.
- The actor relies on a Linux-focused toolkit that includes RushDrop (ChronosRAT), DriveSwitch, and SilentRaid (MystRodX), plus Bulbature to convert compromised devices into Operational Relay Boxes.
- Operational Relay Box infrastructure can be repurposed by other China-nexus groups, indicating a role that extends beyond espionage to initial access and relay support.
- UAT-7290 conducts extensive reconnaissance and uses one-day exploits and target-specific SSH brute force, shows overlaps with RedLeaves/APT10, ShadowPad and Red Foxtrot, and Talos has released IOCs along with ClamAV and Snort detections.