Full Report
Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. However, in recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe. In addition to conducting espionage focused attacks where UAT-7290 burrows…
Analysis Summary
# Threat Actor: UAT-7290
## Attribution & Identity
* **Identification:** Sophisticated threat actor assessed with high confidence to fall under the China-nexus of Advanced Persistent Threat actors (APTs).
* **Known Aliases/Groups:** Associated with China-nexus APTs; utilizes tooling commonly linked to these groups (e.g., Shadowpad, RedLeaves).
## Activity Summary
UAT-7290 has been active since at least 2022. The actor primarily conducts espionage-focused attacks, burrowing deep into victim network infrastructure. In addition to direct espionage, the actor establishes Operational Relay Box (ORB) nodes, suggesting a dual role as an initial access group that may facilitate malicious operations for other China-nexus actors.
## Tactics, Techniques & Procedures
* Conducts espionage-focused attacks involving deep network infiltration.
* Establishes Operational Relay Box (ORB) infrastructure.
* Leverages an expansive arsenal that includes open-source malware and custom-developed malware.
* Exploits 1-day vulnerabilities in popular edge networking products.
* Primarily utilizes a Linux-based malware suite.
* May utilize Windows bespoke implants.
* **Specific Tooling Mentioned:** RedLeaves, Shadowpad.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but activities suggest stages like Initial Access (Exploitation for Client Execution/Remote Services) and Command and Control (via ORBs).
## Targeting
* **Sectors:** Telecommunications providers.
* **Geography:** Primarily South Asia; recently expanded targeting into Southeastern Europe.
* **Victims:** Telecommunications providers (specific named organizations not mentioned).
## Tools & Infrastructure
* **Malware families used:** Custom malware, open-source malware, Linux-based malware suite, Windows implants (RedLeaves, Shadowpad).
* **Infrastructure (C2, domains, IPs):** Establishes Operational Relay Box (ORB) nodes, which may be used by other related threat actors.
* **Defanged Information:** No specific URLs or IPs were extracted requiring defanging.
## Implications
UAT-7290 is a highly capable, China-nexus APT focused on intelligence gathering within critical telecommunications infrastructure. Their dual role as both an espionage actor and an enabler (via ORB infrastructure) for other China-nexus groups increases their overall strategic impact on the threat landscape.
## Mitigations
* Focus defense efforts on network infrastructure, particularly within the telecommunications sector.
* Implement updated patching strategies to address 1-day vulnerabilities in edge networking products.
* Monitor for signs of deep network persistence and Linux-based malware activity.
* Investigate network traffic for indicators related to known China-nexus backdoors like Shadowpad or RedLeaves if known operational environments overlap.