UAT-7290 Espionage Campaigns Targeting Telecommunications and Critical Infrastructure
A sophisticated China-linked threat actor, UAT-7290, has been conducting targeted cyber-espionage campaigns against telecommunications companies and critical infrastructure entities in South Asia since at least 2022. The group employs a calculated approach, beginning with extensive technical reconnaissance of their targets, and leverages a diverse toolkit that includes custom Linux malware such as RushDrop, DriveSwitch, and SilentRaid. UAT-7290 exploits known vulnerabilities and uses brute force attacks to compromise edge networking devices, establishing deep and persistent access within victim networks. Their operations have recently expanded into Southeastern Europe, indicating a growing geographic reach and ambition.
UAT-7290 is notable for its dual role as both an espionage-focused actor and an initial access provider, setting up Operational Relay Box (ORB) nodes that can be leveraged by other China-nexus threat groups. The group’s malware arsenal also includes Windows-based implants like RedLeaves and ShadowPad, further demonstrating technical sophistication. Cisco Talos researchers have highlighted the group’s ability to evade detection, such as RushDrop’s anti-VM checks, and their use of both open-source and custom-developed tools to maintain operational flexibility. The ongoing campaigns pose a significant threat to vital communication networks and critical infrastructure across multiple regions.
Related Entities
Threat Actors
Organizations
Sources
Related Stories
China-Nexus UAT-9244 Targets South American Telecoms with TernDoor, PeerTime, and BruteEntry
Cisco Talos reported that **UAT-9244**, assessed with high confidence as a **China-nexus APT** closely associated with **FamousSparrow**, has targeted **critical telecommunications providers in South America** since 2024. The activity spans **Windows and Linux endpoints** as well as **network edge devices**, and introduces three previously undocumented implants: **TernDoor** (Windows), **PeerTime** (Linux/ELF), and **BruteEntry** (edge-device brute-force/scanning tooling). Public reporting noted tactical overlap between FamousSparrow and **Salt Typhoon**-linked telecom targeting, but stated there is **no conclusive evidence** directly tying UAT-9244 to Salt Typhoon. Talos detailed that **TernDoor** is a variant of **CrowDoor** (itself related to **SparrowDoor**) and is deployed via **DLL side-loading** using the legitimate `wsprint.exe` to load a malicious loader DLL `BugSplatRc64.dll`, which reads `WSPrint.dll`, decrypts it, and executes the final payload **in memory**. **PeerTime** is an ELF backdoor that leverages the **BitTorrent protocol** for malicious operations on infected Linux systems. **BruteEntry** is typically installed on edge devices to convert them into **Operational Relay Boxes (ORBs)** used for mass scanning and brute forcing services including **SSH**, **Postgres**, and **Tomcat**; additional reporting also noted prior UAT-9244 targeting of **outdated Windows Server and Microsoft Exchange** to deploy web shells as a foothold for follow-on activity.
1 weeks ago
Cisco Talos Reports China-Nexus UAT-8837 Breaching North American Critical Infrastructure
Cisco Talos reported multiple intrusions against **high-value North American critical infrastructure** organizations attributed to **UAT-8837**, assessed with *medium confidence* as a **China-nexus APT** focused on obtaining initial access. Talos said the actor gained entry via **compromised credentials** and **exploitation of vulnerable servers**, then conducted hands-on-keyboard activity to harvest credentials and environment data (including **security configurations** and **Active Directory** information) to establish redundant access paths. Observed post-compromise tooling included **Earthworm** (used to create reverse tunnels and expose internal endpoints), **SharpHound**, **DWAgent**, and **Certipy**, alongside common discovery commands (e.g., `tasklist /svc`, `netstat -aon -p TCP`, `whoami`). Talos linked UAT-8837 activity to exploitation of **CVE-2025-53690**, described as a **ViewState deserialization zero-day** affecting **Sitecore** products, noting that the overlap in tooling/infrastructure with other observed exploitation suggests the actor **may have access to zero-day exploits**. Reporting also highlighted that the vulnerability had previously been emphasized by U.S. federal cybersecurity authorities with a mandated patch timeline for federal civilian agencies, and that prior third-party analysis of incidents involving the same bug described similar post-exploitation tooling—reinforcing the assessment that this vulnerability has been operationalized in real intrusions against critical infrastructure targets.
2 months ago
TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as **TGR-STA-1030** (also **UNC6619**) has been reported compromising government and critical-infrastructure organizations across **37 countries**, with broader reconnaissance activity against government infrastructure in **155 countries**. The operation—described as “**Shadow Campaigns**”—uses **phishing** (often impersonating government entities) and **N-day vulnerability exploitation** across multiple enterprise and edge products (including **SAP**, **Microsoft Exchange**, and **D-Link**) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth. Post-compromise activity includes deployment of **Diaoyu Loader** to stage frameworks and remote admin tooling such as **Cobalt Strike** and **VShell**, plus web shells and tunneling utilities. A notable capability is **ShadowGuard**, a **Linux eBPF rootkit** used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as **state-aligned and operating out of Asia**, citing indicators such as tooling, language preferences, activity patterns aligned to **GMT+8**, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to **China** but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
1 months ago