The European Pivot: China-Linked UAT-7290 Targets Telecoms with SilentRaid

The Cisco Talos intelligence unit has reported a significant geographical expansion in the activities of a threat actor utilizing sophisticated Linux malware to target telecommunication entities. While these operations were previously concentrated within Southern Asia, the group’s signature tools and methodologies have recently manifested across Southeastern Europe.

Within Cisco’s analytical framework, this collective is monitored under the designation UAT-7290. Based on a constellation of technical signatures, researchers have attributed the group to Chinese interests, with active operations dating back to at least 2022. The group serves a dual strategic purpose: executing its own espionage-driven incursions while simultaneously cultivating primary access infrastructure to be leveraged by affiliated Chinese cyber-espionage cohorts.

A cornerstone of their operational doctrine is the deployment of Operational Relay Boxes (ORBs). These consist of compromised servers and network appliances repurposed into intermediary nodes to orchestrate attacks and obfuscate the provenance of malicious traffic. UAT-7290 establishes these nodes during the nascent stages of a breach, providing a resilient foundation for subsequent actors.

The group’s modus operandi involves exhaustive reconnaissance of a target prior to engagement. Infiltration is achieved through a bespoke amalgam of proprietary tools, open-source utilities, and public exploits targeting known vulnerabilities in perimeter network devices. Cisco Talos observes that the group aggressively capitalizes on “one-day” exploits and targeted SSH credential harvesting to compromise internet-facing hardware, subsequently establishing persistence and escalating privileges.

While their primary focus remains Linux-based systems, Windows components occasionally surface in their arsenal—notably RedLeaves and ShadowPad, malware families with a long history of shared use among Chinese state-sponsored groups. The Linux infection sequence initiates with the RushDrop dropper (also known as ChronosRAT). This component orchestrates the initial execution phase, performing anti-virtualization checks before establishing a concealed .pkgdb directory. It then extracts several embedded binaries, including the DriveSwitch helper, the SilentRaid primary implant, and a legitimate BusyBox utility repurposed for command execution.

DriveSwitch acts as a facilitator, its sole mission being the initialization of SilentRaid within the compromised environment. SilentRaid (alternatively designated as MystRodX) serves as the quintessential persistent implant. Authored in C++ and adopting a modular architecture, it incorporates fundamental anti-analysis protections. For command-and-control (C2) communication, it leverages Google’s public DNS resolver. Its capabilities are extensive, encompassing remote shell access, port forwarding, file manipulation, directory archiving via tar, and the exfiltration of sensitive data from /etc/passwd and X.509 certificates.

A distinct role is occupied by Bulbature, a UPX-packed Linux malware whose primary function is the transformation of infected hosts into ORB nodes. Bulbature establishes reverse shells, monitors configurable ports, and maintains C2 configurations within temporary files (e.g., /tmp/*.cfg). It facilitates dynamic C2 infrastructure shifts and utilizes a specific self-signed TLS certificate.

Notably, Cisco Talos has identified this identical certificate on 141 hosts situated in China and Hong Kong. These IP addresses have historical associations with various malware families, including SuperShell, GobRAT, and Cobalt Strike beacons, further reinforcing the link to broader regional threat ecosystems.