Targets high value telecommunications infrastructure in South Asia

Jan. 8, 2026, 6:02 p.m.

Description

UAT-7290, a sophisticated threat actor active since 2022, is targeting critical infrastructure entities in South Asia, particularly telecommunications providers. The group's arsenal includes malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 conducts extensive reconnaissance before intrusions, using one-day exploits and SSH brute force to compromise edge devices. The actor is believed to be a China-nexus APT, sharing similarities with APT10 and other known Chinese threat groups. UAT-7290 has recently expanded its targeting to Southeastern Europe and may establish Operational Relay Boxes for other China-nexus actors. Their malware suite primarily focuses on Linux systems but can also utilize Windows-based implants.

External References

https://blog.talosintelligence.com/uat-7290/
https://otx.alienvault.com/pulse/695fdbbb0807269153b514aa
Tags
espionage
shadowpad
telecommunications
bulbature
china-nexus
2026-01-08
driveswitch
redleaves
rushdrop
silentraid

Date

  • Created: Jan. 8, 2026, 4:30 p.m.
  • Published: Jan. 8, 2026, 4:30 p.m.
  • Modified: Jan. 8, 2026, 6:02 p.m.

Indicators

  • 918fb8af4998393f5195bafaead7c9ba28d8f9fb0853d5c2d75f10e35be8015a
  • 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200
  • 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d
Download all indicators here!

Attack Patterns

  • RushDrop
  • BUGJUICE
  • Bulbature
  • DriveSwitch
  • ShadowPad - S0596
  • POISONPLUG.SHADOW
  • RedLeaves - S0153
  • SilentRaid
  • UAT-7290

Additional Informations

  • Telecommunications