A sophisticated China-linked threat actor, UAT-7290, is expanding its cyber-espionage operations into Southeastern Europe, targeting telecommunications organizations. The group utilizes Linux-based malware, initial access techniques, and operational relay infrastructure to compromise edge network devices. #UAT7290 #CyberEspionage #LinuxMalware #ChinaThreatActors #SoutheasternEurope
Keypoints
- The threat actor UAT-7290 primarily targets telecommunications providers and uses Linux malware in its operations.
- They leverage one-day exploits and SSH brute force attacks to gain initial access to edge network devices.
- UAT-7290 employs a suite of custom Linux malware including RushDrop, DriveSwitch, SilentRaid, and Bulbature.
- The group has a China nexus and functions as an initial access and relay operator for other China-aligned threat groups.
- Technical analysis reveals shared TLS certificates and malware families used across multiple China-based hosts and campaigns.