Cisco Talos Exposes UAT-7290: China APT Targeting Telecoms

Cisco Talos published research Wednesday exposing a sophisticated China-nexus threat actor that has been quietly compromising telecommunications providers across South Asia since at least 2022. The group, tracked as UAT-7290, serves a dual purpose: conducting its own espionage operations while building infrastructure that other Chinese APT groups can use for their attacks.

The disclosure reveals an increasingly interconnected Chinese cyber operations ecosystem, where threat actors specialize in different stages of the attack chain and share access to compromised networks.

TL;DR

• What happened: Cisco Talos disclosed UAT-7290, a China-nexus APT targeting telecom infrastructure since 2022
• Who's affected: Telecommunications providers in South Asia and Southeastern Europe
• Severity: High - Strategic espionage with persistent access to telecom networks
• Action required: Telecom security teams should review Talos IOCs and detection signatures

What Is UAT-7290?

UAT-7290 is a sophisticated threat actor that Talos assesses with high confidence operates under Chinese state direction. The group primarily targets telecommunications providers—organizations that offer valuable intelligence on communications, customer data, and network infrastructure.

What sets UAT-7290 apart is its dual role. Beyond conducting espionage-focused intrusions, the group establishes Operational Relay Box (ORB) nodes on compromised devices. These nodes function as hop points that other China-nexus actors can route their attacks through, obscuring the true origin of malicious traffic.

This division of labor mirrors trends in the cybercrime ecosystem, where initial access brokers sell network footholds to ransomware operators. In the state-sponsored context, UAT-7290 builds infrastructure that multiple Chinese intelligence operations can leverage.

How They Operate

Talos observed UAT-7290 conducting extensive reconnaissance before launching intrusions. The group exploits one-day vulnerabilities in edge networking devices—flaws that have patches available but remain unpatched in many environments. They also deploy targeted SSH brute force attacks using credential lists tailored to specific organizations.

Once inside a network, UAT-7290 deploys a Linux-focused malware arsenal:

• RushDrop (also called ChronosRAT): A dropper that initiates infection chains
• DriveSwitch: Peripheral malware that executes main implants
• SilentRaid (also called MystRodX): The primary implant providing persistent access with modular plugins for C2 communication, remote shells, port forwarding, and file management
• Bulbature: Converts compromised devices into ORB relay nodes using self-signed certificates and reverse shell capabilities

For Windows targets, the group deploys RedLeaves malware (historically linked to APT10) and ShadowPad (a backdoor shared among multiple China-nexus actors).

Attribution Indicators

Talos identified significant technical overlaps with known Chinese threat actors. The group's tools share characteristics with RedLeaves, the signature malware of APT10. Infrastructure analysis revealed hosting certificates associated with SuperShell, GobRAT, and Cobalt Strike deployments used by other Chinese groups.

The Talos report also notes substantial overlap with "Red Foxtrot," a group that Recorded Future linked to PLA Unit 69010 in a 2021 report. This connection suggests UAT-7290 may operate under military intelligence direction.

Expanding Target Set

While South Asian telecommunications providers remain the primary focus, Talos observed UAT-7290 recently expanding into Southeastern Europe. This geographic expansion aligns with broader Chinese intelligence priorities and suggests the group's operational tempo is increasing.

Telecom providers make attractive targets for multiple reasons. They process massive volumes of communications data, maintain connections to government and enterprise customers, and often operate infrastructure that spans national borders. A single compromised telecom can provide visibility into entire populations.

Detection and Defense

Talos released ClamAV signatures for detecting UAT-7290 malware:

• Unix.Dropper.Agent
• Unix.Malware.Agent
• Unix.Packed.Agent

Snort rule SID 65124 provides network-level detection. The full Talos report includes additional indicators of compromise that security teams should incorporate into detection systems.

Telecommunications providers should prioritize:

1. Patching edge devices - UAT-7290 exploits known vulnerabilities in network equipment
2. Monitoring SSH authentication - Watch for targeted brute force attempts
3. Reviewing outbound connections - ORB nodes generate unusual traffic patterns
4. Auditing Linux systems - The group's malware arsenal targets Linux infrastructure

Why This Matters

The Chinese cyber operations ecosystem has matured significantly. Rather than monolithic APT groups conducting entire attack chains independently, we're seeing specialization. UAT-7290's role as both an espionage actor and an infrastructure provider demonstrates this evolution.

For defenders, this means tracking individual threat actors is no longer sufficient. The malware dropped by one group may have been delivered through infrastructure maintained by another. Attribution becomes harder, and the attack surface expands as more actors gain access to shared relay infrastructure.

The focus on telecommunications is also worth noting. These networks form the backbone of digital communications for governments, businesses, and individuals. Persistent access to telecom infrastructure provides intelligence opportunities that extend far beyond any single compromise.