Full Report
Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia.
Analysis Summary
# Threat Actor: UAT-7290
## Attribution & Identity
* **Attribution:** Assessed with high confidence as a sophisticated threat actor falling under the **China-nexus of Advanced Persistent Threat actors (APTs)**.
* **Known Aliases/Associations:** Shares significant overlap in victimology, infrastructure, and tooling with the group publicly reported as **Red Foxtrot** (which Recorded Future linked to Chinese People’s Liberation Army (PLA) Unit 69010 in 2021). Shows overlapping TTPs and malware infrastructure alignment with groups using **RedLeaves** (APT10/MenuPass/POTASSIUM/Purple Typhoon) and **ShadowPad**.
## Activity Summary
* **Activity Timeline:** Active since at least 2022.
* **Primary Activities:** Conducting **espionage-focused intrusions** against critical infrastructure entities, and establishing **Operational Relay Box (ORB) nodes** which may be used by other China-nexus actors. UAT-7290 appears to serve a dual role as both an espionage actor and an initial access group.
* **Recent Trends:** Primarily targets telecommunications providers, but has recently expanded targeting into Southeastern Europe.
* **Pre-Intrusion Behavior:** Conducts extensive technical reconnaissance prior to carrying out intrusions.
## Tactics, Techniques & Procedures
* **Initial Access:** Leverages **1-day exploits** and target-specific **SSH brute force** against public-facing edge devices to gain initial access and escalate privileges. Appears to rely on publicly available proof-of-concept exploit code.
* **Persistence/Delivery:** Utilizes a Linux-based malware suite, but may also deploy Windows bespoke implants like RedLeaves or ShadowPad. Uses open-source web shells for persistence.
* **C2/Communication:** Leverages **UDP listeners**. The main implant (SilentRaid) communicates with C2 and executes arbitrary commands via a reverse shell. Bulbature can switch C2 addresses.
* **Tooling:** Uses custom and open-source malware, and payloads for 1-day vulnerabilities.
* **Shared Overlapping TTPs:** Exploitation of high-profile vulnerabilities in networking devices, use of open-source web shells, leveraging UDP listeners, and using compromised infrastructure to facilitate operations.
## Targeting
* **Sectors:** Primarily **Telecommunications providers** (critical infrastructure).
* **Geography:** Primarily **South Asia**, with recent expansion into **Southeastern Europe**.
* **Victims:** High-value telecommunications infrastructure entities.
## Tools & Infrastructure
* **Custom Malware Families (Linux-based):**
* **RushDrop:** The primary dropper, suspected of performing sandbox evasion checks.
* **DriveSwitch:** Peripheral malware used to execute the main implant.
* **SilentRaid:** The main implant used for persistent access and C2 communication (also known as MystRodX).
* **Bulbature:** An implant used specifically to convert compromised devices into ORBs.
* **Associated Malware (Windows/General China-Nexus):** RedLeaves, ShadowPad.
* **Infrastructure:** Relies on C2 servers. A variant of Bulbature used a self-signed certificate (Serial: 81bab2934ee32534) linked to hosts/IPs in China/Hong Kong associated with malware like SuperShell, GobRAT, and Cobalt Strike.
* **IOCs (Hashes):**
* `723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200`
* `59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596`
* `961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d`
## Implications
UAT-7290 represents a significant espionage threat against critical infrastructure in South Asia, leveraging sophisticated custom Linux malware. Their role in setting up ORB infrastructure suggests they may be actively supporting the broader network of China-nexus operations by providing foothold infrastructure for other threat actors.
## Mitigations
* Implement robust detections for the specific malware families: RushDrop, DriveSwitch, SilentRaid, and Bulbature.
* Monitor for access attempts leveraging **1-day exploits** on edge networking products.
* Deploy strong defenses and monitoring against **SSH brute force** targeting edge devices.
* Look for artifacts related to the observed TTPs, such as open-source web shells, persistence mechanisms, and **UDP listeners** in network traffic analysis.
* Apply provided threat intelligence signatures:
* **ClamAV Signatures:** `Unix.Dropper.Agent`, `Unix.Malware.Agent`, `Unix.Packed.Agent`
* **Snort SIDs:** `65124`