EXECUTIVE SUMMARY:
A threat actor, tracked under the identifier UAT‑7290, has been observed targeting high‑value telecommunications infrastructure, with a primary focus on providers in South Asia and recent expansion into Southeastern Europe. This actor conducts espionage‑oriented campaigns aimed at gaining initial access and deep network footholds within critical infrastructure environments. Its operations display indicators of significant planning, reconnaissance, and use of a diverse malware toolkit designed to compromise and maintain persistence on networked edge devices
UAT‑7290 is assessed to possess advanced capabilities, employing extensive reconnaissance to map targeted environments before launching attacks. The group mainly exploits known one‑day vulnerabilities in publicly facing edge networking devices and performs targeted SSH brute‑force attacks to secure initial access and escalate privileges. Their toolkit is dominated by a suite of Linux‑focused malware including RushDrop, DriveSwitch, and SilentRaid, a modular implant that provides persistent remote control, port forwarding, file access, and credential harvesting capabilities. In addition, the actor deploys Bulbature, a backdoor that converts compromised systems into Operational Relay Box (ORB) nodes, potentially enabling other threat actors to reuse access infrastructure. The actor also occasionally leverages known Windows malware like RedLeaves and ShadowPad in select operations. Their reliance on both custom and open‑source tooling, along with the establishment of ORB nodes, indicates dual roles as both an espionage‑centric adversary and an initial access facilitator for other groups.
The continued activity of UAT‑7290 against high‑value telecom targets underscores the critical need for heightened defensive measures within communications service providers and related sectors. Organizations operating in these environments should prioritize robust perimeter defenses, proactive threat hunting, and the deployment of updated detection signatures to identify and block UAT‑7290s malware and tactics. Given the actors sophisticated tradecraft, defenders should also monitor for signs of reconnaissance, unauthorized access, and ORB node establishment to mitigate the risk of long‑term compromise and lateral exploitation.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Persistence | T1547.006 | Boot or Logon Autostart Execution | Kernel Modules and Extensions |
| T1505.003 | Server Software Component | Web Shell | |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1070.003 | Indicator Removal | Clear Command History | |
| Discovery | T1087.001 | Account Discovery | Local Account |
| T1046 | Network Service Discovery | — | |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| T1105 | Ingress Tool Transfer | — | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: