Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsChina-Linked UAT-7290 Targets Telecom Networks in South Asia
China-Linked UAT-7290 Targets Telecom Networks in South Asia
Cybersecurity

China-Linked UAT-7290 Targets Telecom Networks in South Asia

•January 8, 2026
0
Infosecurity Magazine
Infosecurity Magazine•Jan 8, 2026

Companies Mentioned

Cisco

Cisco

CSCO

Why It Matters

The campaign threatens critical telecom services, exposing national infrastructure to persistent espionage and enabling broader Chinese threat‑actor operations via relay nodes.

Key Takeaways

  • •UAT-7290 targets South Asian telecom edge devices.
  • •Uses one‑day vulnerabilities and SSH brute‑force attacks.
  • •Deploys ORB infrastructure for other China‑linked groups.
  • •Malware includes RushDrop, DriveSwitch, SilentRaid, Bulbature.
  • •Campaign expanded into Southeast Europe in recent months.

Pulse Analysis

Telecommunications networks form the backbone of modern economies, making them prime targets for state‑aligned cyber‑espionage groups. UAT‑7290, a China‑linked actor uncovered by Cisco Talos, has focused on South Asian carriers by infiltrating public‑facing edge devices. By exploiting freshly disclosed (one‑day) vulnerabilities and leveraging SSH brute‑force tactics, the group gains deep, persistent footholds that enable the exfiltration of sensitive traffic and metadata, underscoring the strategic value of telecom infrastructure to nation‑state adversaries.

Technically, UAT‑7290 relies on a modular Linux‑based toolkit rather than custom zero‑day exploits. Core components—RushDrop, DriveSwitch, SilentRaid and Bulbature—work in concert to drop payloads, establish a resilient backdoor, and convert compromised hardware into Operational Relay Boxes (ORBs). These ORBs act as low‑profile pivot points, allowing other China‑nexus groups to route attacks through compromised assets, effectively amplifying the initial intrusion. The group’s preference for publicly available proof‑of‑concept code and rapid weaponization of one‑day flaws highlights a cost‑effective, high‑impact approach that challenges traditional defense models focused on signature‑based detection.

The broader implications extend beyond South Asia. Recent evidence of UAT‑7290 activity in southeastern Europe signals a geographic diversification that could pressure allied networks worldwide. Its overlap with known Chinese APTs such as RedLeaves, ShadowPad and the PLA‑linked Red Foxtrot suggests a coordinated ecosystem where initial‑access operators feed intelligence and infrastructure to more specialized threat actors. Enterprises and telcos should prioritize zero‑trust segmentation, continuous vulnerability management, and threat‑intel integration to detect anomalous edge‑device behavior before ORB infrastructure can be established, thereby mitigating both direct espionage and the cascading risks posed by shared malicious infrastructure.

China-Linked UAT-7290 Targets Telecom Networks in South Asia

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...