China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

The emergence of UAT‑7290 illustrates a sophisticated shift in state‑aligned cyber‑espionage, where attackers prioritize high‑value telecom assets to intercept communications and gather intelligence. By focusing on edge devices—routers, switches, and other network appliances—the group exploits the often‑overlooked security gaps in infrastructure that sit at the nexus of public and private networks. Their reliance on publicly available proof‑of‑concept exploits reduces development time, allowing rapid deployment of malware such as RushDrop, DriveSwitch, and the C++ implant SilentRaid, which together provide a full infection chain from initial access to persistent control.

A distinctive element of UAT‑7290’s methodology is the creation of Operational Relay Box (ORB) nodes. These compromised devices act as relay points, extending the reach of other China‑linked actors and effectively turning victim infrastructure into a shared platform for malicious operations. This dual‑role strategy blurs the line between an initial access group and a service provider for broader espionage campaigns, amplifying the threat landscape for any organization that relies on vulnerable edge hardware.

The overlap with established groups like Stone Panda and RedFoxtrot signals a coordinated ecosystem rather than isolated actors. For telecom operators and their downstream customers, the implications are clear: robust patch management, rigorous SSH hardening, and continuous monitoring of network device behavior are essential defenses. As supply‑chain attacks become more prevalent, the industry must adopt zero‑trust principles and invest in threat‑intelligence sharing to mitigate the cascading risks posed by actors such as UAT‑7290.