Skip to main content
Mallory
Back to threat actors
🇨🇳 CN6 malware families

UAT-7290

Also known asuat_7290

UAT-7290 is a China-linked threat actor tracked by Cisco Talos, assessed with high confidence to be part of the China-nexus APT ecosystem and active since at least 2022. The group conducts espionage-focused intrusions and initial access operations, primarily targeting telecommunications providers and other critical infrastructure entities in South Asia, with more recent activity extending into Southeastern Europe. Cisco Talos assessed that UAT-7290 may serve a dual role as both an espionage operator and an initial access provider by establishing Operational Relay Box (ORB) infrastructure that can later be reused by other China-nexus actors. The actor prioritizes public-facing edge networking devices for initial access. Reported access methods include extensive pre-intrusion technical reconnaissance, exploitation of one-day vulnerabilities in popular edge networking products, use of publicly available proof-of-concept exploit code, and target-specific SSH brute-force attacks against exposed devices. Talos reported that UAT-7290 burrows deeply into victim enterprise and telecommunications infrastructure during espionage operations. UAT-7290 primarily uses a Linux-focused malware suite including RushDrop, DriveSwitch, SilentRaid, and Bulbature. RushDrop, also referred to as ChronosRAT, functions as a dropper and performs anti-VM checks, creates a hidden .pkgdb directory, and drops components including daytime, chargen, and BusyBox. DriveSwitch is used to execute the main implant. SilentRaid, also known as MystRodX, is the primary persistent implant; it is described as a modular C++ backdoor that communicates with command-and-control infrastructure, including via DNS resolution using 8.8.8.8, and supports remote shell access, command execution, port forwarding, file management, reverse shell capability, and x509 certificate attribute parsing. Bulbature is used to convert compromised devices into ORB nodes; it can listen on configurable ports, store configuration in /tmp with a .cfg extension, and open reverse shells. Talos reported a recurring self-signed certificate associated with Bulbature observed on numerous hosts in China or Hong Kong. The reporting also states that UAT-7290 may use Windows implants including RedLeaves and ShadowPad. Cisco Talos observed overlaps in tooling, infrastructure, victimology, and TTPs with other China-nexus activity, including RedLeaves activity associated with APT10, ShadowPad-associated infrastructure, and the cluster known as Red Foxtrot, which prior reporting linked to PLA Unit 69010. Other reporting cited overlaps with Stone Panda, and Palo Alto Networks Unit 42 tracks related activity as CL-STA-0969. Known aliases and related names directly mentioned in the content include UAT 7290, UAT-7290, ChronosRAT for RushDrop, MystRodX for SilentRaid, and CL-STA-0969 for related tracking by Unit 42.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
  • 🇨🇦 Canada

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

55 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics69 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1592×3
Gather Victim Host Information
T1595
Active Scanning
T1595.002
Vulnerability Scanning
TA0042
Resource Development
3 techniques
T1584
Compromise Infrastructure
T1587
Develop Capabilities
T1587.001×2
Malware
T1587.003
Digital Certificates
T1588
Obtain Capabilities
T1588.005
Exploits
T1588.006
Vulnerabilities
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1190×6
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1059×6
Command and Scripting Interpreter
T1059.004×2
Unix Shell
TA0003
Persistence
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1543
Create or Modify System Process
TA0004
Privilege Escalation
3 techniques
T1055
Process Injection
T1078
Valid Accounts
T1543
Create or Modify System Process
TA0005
Stealth
7 techniques
T1027
Obfuscated Files or Information
T1027.002
Software Packing
T1055
Process Injection
T1070
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1497×2
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
T1564
Hide Artifacts
T1564.001×3
Hidden Files and Directories
TA0006
Credential Access
3 techniques
T1056
Input Capture
T1056.001
Keylogging
T1110×3
Brute Force
T1110.001
Password Guessing
T1552
Unsecured Credentials
T1552.001
Credentials In Files
TA0007
Discovery
6 techniques
T1016
System Network Configuration Discovery
T1046×2
Network Service Discovery
T1082×2
System Information Discovery
T1083×5
File and Directory Discovery
T1497×2
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
T1518
Software Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.004
SSH
T1550
Use Alternate Authentication Material
T1550.004
Web Session Cookie
TA0009
Collection
3 techniques
T1005×2
Data from Local System
T1056
Input Capture
T1056.001
Keylogging
T1113
Screen Capture
TA0011
Command and Control
10 techniques
T1071×4
Application Layer Protocol
T1071.001
Web Protocols
T1071.004×2
DNS
T1090×7
Proxy
T1090.001×3
Internal Proxy
T1090.002
External Proxy
T1095
Non-Application Layer Protocol
T1105×4
Ingress Tool Transfer
T1132
Data Encoding
T1219×3
Remote Access Tools
T1568
Dynamic Resolution
T1571
Non-Standard Port
T1572
Protocol Tunneling
T1573×2
Encrypted Channel
T1573.002
Asymmetric Cryptography
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
RushDropThe telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.13Apr 22, 2026
DriveSwitchThe telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.12Apr 22, 2026
SilentRaidSilentRaid establishes persistent command-and-control access to telecommunications infrastructure, enabling remote shell execution, port forwarding, file manipulation, and credential theft from telecommunications systems.12Apr 22, 2026
BulbatureAfter telecommunications infrastructure stabilization, UAT-7290 repurposes compromised telecommunications systems as Operational Relay Boxes through deployment of the Bulbature implant.8Apr 22, 2026
RedLeavesUAT-7290 primarily leverages a Linux based malware suite but may also utilize Windows based bespoke implants such as RedLeaves ... commonly linked to China-nexus threat actors.6Apr 23, 2026

1 additional family tracked in Mallory.

IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
securitysenses blogNews
May 13, 2026
Ep. 58 - Double Dragon: How China's APT 41 Works for the State by Day - and Itself by Night | SecuritySenses

A splinter unit associated with APT 41 that reportedly maintained covert access in North American developer environments for over a year while observing and preparing for native-looking follow-on activity.

Read more
bleeping computerNews
Jan 16, 2026
China-linked hackers exploited Sitecore zero-day for initial access

China-linked activity cluster associated with access acquisition and espionage operations (details not expanded in the provided content).

Read more
the hacker newsNews
Jan 16, 2026
China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion

China-nexus threat actor conducting espionage-focused intrusions against entities in South Asia and Southeastern Europe.

Read more
hiveproNews
Jan 16, 2026
UAT-7290: Chinese APT Telecom Espionage, IOCs & Defenses | Hive Pro

Conducting sustained cyber-espionage operations against telecommunications infrastructure, extracting sensitive network intelligence, and converting compromised telecom systems into covert relay nodes supporting broader state-aligned operations.

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping55

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.