Cisco Talos Intelligence Identifies China-Nexus Group UAT-7290 Targeting Telecom Infrastructure in South Asia
Posing Potential Cascading Risks to Government, Military, and Civilian Communications Across the Region

Cisco Talos Intelligence has identified a previously uncatalogued threat actor targeting telecommunications infrastructure in South Asia. Designated UAT-7290, the newly identified China-nexus state-sponsored APT group is said to be responsible for sophisticated cyberattacks on high-value telecommunications infrastructure, with a geographic focus on South Asia but expanding into Southeastern Europe in recent months.
How UAT-7290 Attacks
UAT-7290 conducts cyberespionage and maintains persistent access while also deploying custom malware. The threat actor uses a Linux-based malware suite, according to Cisco Talos Intelligence:
-
RushDrop (also known as ChronosRAT) – This kickstarts the infection chain.
-
DriveSwitch – This is a peripheral malware that executes the main implant.
-
SilentRaid (also known as MystRodX) – This is the main implant that establishes persistent access. It also communicates with its command-and-control (C2) server and carries out malicious tasks.

Additionally, UAT-7290 uses Windows-based implants. The most notable of these is RedLeaves, a malware family attributed to APT10 (also known as Cicada, MenuPass, POTASSIUM, and Purple Typhoon). The group also uses ShadowPad, which is typically employed by Chinese threat actors.
Initial UAT-7290 intrusions rely on one-day vulnerabilities in widely used edge networking products, as well as target-specific SSH brute-force attacks. These entry points are followed by the deployment of backdoors that enable threat actors to exfiltrate sensitive data and maintain long-term access to compromised networks.
UAT-7290 also sets up Operational Relay Box (ORB) nodes as part of its operations. According to Cisco, this ORB infrastructure can later be leveraged by other China-nexus threat actors, highlighting UAT-7290’s dual function as both an espionage-focused group and an initial access broker.
Another tool observed in these campaigns is Bulbature, an implant first disclosed by Sekoia in 2024. Bulbature transforms compromised systems into ORBs, further expanding the group’s relay infrastructure.
Implications for South Asia Cybersecurity
UAT-7290’s activities pose potential cascading risks to government, military, and civilian communications across the region.
Security organisations in affected areas are urged to strengthen their defensive posture by auditing network perimeters for indicators of compromise and deploying advanced threat detection capabilities to counter this evolving espionage campaign.



