China-Linked UAT-7290 Breaches Telecom Networks Using Linux Malware and ORB Nodes
Cisco Talos disclosed that UAT-7290, a threat actor active since at least 2022 and assessed with high confidence as part of the China-nexus APT ecosystem, has conducted sustained intrusions against high-value telecommunications and critical infrastructure organizations in South Asia, with more recent activity extending into Southeastern Europe. The group reportedly performs extensive pre-attack reconnaissance, then compromises public-facing edge devices through one-day exploits, proof-of-concept exploit adaptation, and target-specific SSH brute force, seeking deep and persistent access inside strategically important telecom environments.
Researchers said the actor relies heavily on a Linux-focused malware toolkit that includes RushDrop, DriveSwitch, SilentRaid, and Bulbature, alongside overlaps with RedLeaves and ShadowPad and activity previously associated with Red Foxtrot/APT10. Talos assessed that UAT-7290 appears to serve a dual role: carrying out espionage while also acting as an initial access provider that converts compromised devices into Operational Relay Box (ORB) nodes for possible use by other China-linked operators. SilentRaid supports modular capabilities such as remote shell access, file management, and port forwarding, while Bulbature was tied to ORB infrastructure through a self-signed certificate observed on at least 141 hosts in China or Hong Kong, reinforcing the attribution assessment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Talos reveals ORB infrastructure evidence and publishes IOCs
In its public reporting, Talos linked Bulbature to ORB operations and noted a self-signed certificate observed on at least 141 hosts in China or Hong Kong. The disclosure also included indicators of compromise and technical details on the actor's malware and tradecraft for defenders.
Cisco Talos publicly attributes campaign to China-linked UAT-7290
On January 8, 2026, Cisco Talos disclosed the campaign and assessed with high confidence that UAT-7290 is part of the China-nexus APT ecosystem. The report cited overlaps in tooling, infrastructure, and victimology with RedLeaves, ShadowPad, Red Foxtrot, and related China-linked activity.
UAT-7290 expands operations into Southeastern Europe
Talos reported that the threat actor recently broadened its targeting beyond South Asia into Southeastern Europe. This marked a geographic expansion of the long-running espionage campaign against telecommunications infrastructure.
UAT-7290 deploys Linux malware and ORB-enabling tooling in intrusions
During its campaign, UAT-7290 used a Linux-focused malware set including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos assessed that Bulbature was used to convert compromised edge devices into Operational Relay Box nodes, indicating the group also functioned as an initial access and ORB-enablement operator.
UAT-7290 begins targeting South Asian telecom and critical infrastructure
Cisco Talos said UAT-7290 has been active since at least 2022, primarily targeting telecommunications providers and other critical infrastructure entities in South Asia. The actor used reconnaissance, one-day exploits, and target-specific SSH brute force against public-facing edge devices to gain access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
UAT-7290 APT Targets Telecom Networks in South Asia
ampcuscyber.com
Open sourceChina-linked UAT-7290 spies on telco in South Asia and Europe using modular malware
securityaffairs.com
Open sourceUAT-7290 Hackers Attacking Critical Infrastructure Entities in South Asia
cybersecuritynews.com
Open sourceChina-Linked UAT-7290 Targets Telecom Networks In South Asia - Infosecurity Magazine
infosecurity-magazine.com
Open sourceChina-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes
thehackernews.com
Open sourceChina-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes
radar.offseq.com
Open sourceUAT-7290 targets high value telecommunications infrastructure in South Asia
blog.talosintelligence.com
Open sourceRecent Linux-based activities of the UAT-7290 threat group
broadcom.com
Open sourceUAT 7290 APT Attacking Telecom Sectors in South Asia with Long-Term Access - Advisories
advisory.eventussecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Nexus UAT-9244 Targets South American Telecoms with TernDoor, PeerTime, and BruteEntry
Cisco Talos reported that **UAT-9244**, assessed with high confidence as a **China-nexus APT** closely associated with **FamousSparrow**, has targeted **critical telecommunications providers in South America** since 2024. The activity spans **Windows and Linux endpoints** as well as **network edge devices**, and introduces three previously undocumented implants: **TernDoor** (Windows), **PeerTime** (Linux/ELF), and **BruteEntry** (edge-device brute-force/scanning tooling). Public reporting noted tactical overlap between FamousSparrow and **Salt Typhoon**-linked telecom targeting, but stated there is **no conclusive evidence** directly tying UAT-9244 to Salt Typhoon. Talos detailed that **TernDoor** is a variant of **CrowDoor** (itself related to **SparrowDoor**) and is deployed via **DLL side-loading** using the legitimate `wsprint.exe` to load a malicious loader DLL `BugSplatRc64.dll`, which reads `WSPrint.dll`, decrypts it, and executes the final payload **in memory**. **PeerTime** is an ELF backdoor that leverages the **BitTorrent protocol** for malicious operations on infected Linux systems. **BruteEntry** is typically installed on edge devices to convert them into **Operational Relay Boxes (ORBs)** used for mass scanning and brute forcing services including **SSH**, **Postgres**, and **Tomcat**; additional reporting also noted prior UAT-9244 targeting of **outdated Windows Server and Microsoft Exchange** to deploy web shells as a foothold for follow-on activity.
Mar 21, 2026
Cisco Talos Reports China-Nexus UAT-8837 Breaching North American Critical Infrastructure
Cisco Talos reported multiple intrusions against **high-value North American critical infrastructure** organizations attributed to **UAT-8837**, assessed with *medium confidence* as a **China-nexus APT** focused on obtaining initial access. Talos said the actor gained entry via **compromised credentials** and **exploitation of vulnerable servers**, then conducted hands-on-keyboard activity to harvest credentials and environment data (including **security configurations** and **Active Directory** information) to establish redundant access paths. Observed post-compromise tooling included **Earthworm** (used to create reverse tunnels and expose internal endpoints), **SharpHound**, **DWAgent**, and **Certipy**, alongside common discovery commands (e.g., `tasklist /svc`, `netstat -aon -p TCP`, `whoami`). Talos linked UAT-8837 activity to exploitation of **CVE-2025-53690**, described as a **ViewState deserialization zero-day** affecting **Sitecore** products, noting that the overlap in tooling/infrastructure with other observed exploitation suggests the actor **may have access to zero-day exploits**. Reporting also highlighted that the vulnerability had previously been emphasized by U.S. federal cybersecurity authorities with a mandated patch timeline for federal civilian agencies, and that prior third-party analysis of incidents involving the same bug described similar post-exploitation tooling—reinforcing the assessment that this vulnerability has been operationalized in real intrusions against critical infrastructure targets.
Mar 21, 2026
State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded **5,927 cyber incidents** in 2025, a **37.4% increase** over the prior year, with Russian groups including **UAC-0002 (Sandworm)**, **UAC-0001 (APT28)**, **UAC-0010 (Gamaredon)**, and **UAC-0190 (Void Blizzard)** using exposed **RDP** services, vulnerable **VPN** appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster **UAT-9244** used exposed web applications, **ProxyLogon**, exposed **SSH** services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments. Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as **PeerTime**, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including **Cisco ASA/AnyConnect**, **Roundcube**, **Fortinet**, **WinRAR**, **7-Zip**, and legacy Microsoft Office components, alongside social-engineering tactics such as **ClickFix**, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
May 25, 2026