In the intricate and often clandestine world of cyber warfare, a new kind of adversary has emerged, one that not only infiltrates networks to steal secrets for itself but also expertly builds and rents out the digital keys to the kingdom for other malicious actors to use. This newly uncovered threat actor, tracked as UAT-7290, is blurring the traditional lines between direct espionage and the broader, shadowy economy of cybercrime. Active for at least four years, the group’s sophisticated operations raise a critical question for the global security community: does this hybrid model represent the next evolution in state-sponsored digital campaigns, creating a more interconnected and resilient threat ecosystem?
When is a Hacker Also a Landlord for Other Hackers
The core identity of UAT-7290 challenges conventional threat actor classifications. While many groups focus on a singular objective, such as data exfiltration or financial gain, this adversary operates with a dual purpose that significantly amplifies its impact. On one hand, it functions as a classic espionage unit, meticulously gathering intelligence from high-value targets. On the other, it acts as a foundational access provider, a digital landlord of sorts, preparing compromised networks and selling or leasing access to other state-aligned groups.
This two-pronged strategy marks a strategic shift in cyber operations. By creating and maintaining a persistent foothold within critical networks, UAT-7290 not only serves its own intelligence objectives but also enables a wider network of affiliates to launch their own campaigns with greater speed and anonymity. This model makes attribution more difficult and allows state sponsors to leverage a diverse portfolio of attack capabilities through a single, highly skilled initial access team. The group’s activities therefore signal a more collaborative and modular approach to state-backed hacking.
Targeting the World’s Digital Backbone
UAT-7290 directs its efforts toward some of the most sensitive and critical targets imaginable: the world’s digital backbone. The group has shown a distinct preference for infiltrating telecommunications providers, the foundational pillars of modern communication and internet infrastructure. By compromising these networks, attackers gain an unparalleled vantage point from which to monitor, intercept, or disrupt vast flows of information, affecting governments, businesses, and private citizens alike. The implications of such a breach extend far beyond data theft, posing a direct threat to national security and economic stability.
Initially concentrating its operations in South Asia, UAT-7290 has demonstrated both ambition and a growing operational reach. Recent intelligence has revealed the group’s expansion into new territories, with confirmed intrusions against telecommunications entities in Southeastern Europe. This geographical expansion underscores the actor’s persistent and evolving threat profile. It suggests a strategic mandate to establish a global network of compromised infrastructure, positioning itself to influence geopolitical events and gather intelligence across multiple continents.
Anatomy of an Intrusion The UAT-7290 Playbook
The group’s technical proficiency is evident in its systematic approach to gaining and maintaining access. For the initial breach, UAT-7290 employs a pragmatic and effective methodology. Rather than investing resources in developing zero-day exploits, the actor capitalizes on “one-day” vulnerabilities—flaws for which a patch has been released but has not yet been applied by network defenders. It leverages publicly available proof-of-concept exploits to target public-facing edge devices, supplementing this with target-specific SSH brute-force attacks to gain an initial foothold.
Once inside, UAT-7290 deploys a sophisticated, multi-stage malware arsenal designed for Linux-based systems, which are common in telecommunications environments. The infection chain begins with RushDrop, a dropper that initiates the compromise. This is followed by DriveSwitch, a secondary component responsible for executing the main payload, SilentRaid. This core implant is engineered for long-term espionage, establishing persistent access, communicating with command-and-control servers, and executing commands at the behest of the operators. This layered approach ensures redundancy and stealth, making detection and removal exceptionally difficult.
Moreover, UAT-7290 demonstrates operational flexibility by not limiting itself to a single operating system. In addition to its primary Linux toolset, the group has been observed deploying well-known Windows implants, including RedLeaves and ShadowPad. The use of these tools, which are commonly associated with other prominent China-nexus threat actors, not only shows the group’s adaptability but also provides the first technical clues linking it to a larger, state-sponsored apparatus.
A Dual Identity Unpacking UAT-7290’s Two-Fold Mission
The evidence clearly paints a picture of UAT-7290 as a methodical espionage agent. Detailed technical reconnaissance precedes every intrusion, and the custom design of the SilentRaid implant is geared specifically for persistent, covert intelligence gathering. Its capabilities for command execution and stealthy communication are hallmarks of a group focused on long-term strategic access rather than short-term disruptive attacks. This behavior aligns perfectly with the objectives of a state-sponsored intelligence-gathering unit.
In stark contrast, however, is the group’s second function as an access broker, a role facilitated by a distinct piece of malware known as Bulbature. Unlike SilentRaid, Bulbature is not designed for spying. Its sole purpose is to convert a compromised system into an Operational Relay Box (ORB), a fortified and hidden node within a larger network of hacked devices. These ORBs effectively serve as launchpads and proxy servers, creating a resilient and anonymized infrastructure for malicious activities.
This ORB network is the key to UAT-7290’s role as a facilitator. The infrastructure created by Bulbature is leveraged by other China-nexus threat actors, who can then conduct their own operations without needing to perform the difficult and risky work of gaining initial access themselves. This symbiotic relationship positions UAT-7290 as a force multiplier, a foundational element that enhances the capabilities and deniability of an entire ecosystem of affiliated threat groups.
Connecting the Dots Tracing UAT-7290’s State-Sponsored Lineage
Attribution in cyberspace is notoriously difficult, but a significant body of evidence connects UAT-7290 to known China-nexus adversaries. This assessment is built on overlapping tactics, techniques, and procedures, including a shared penchant for exploiting high-profile vulnerabilities in networking devices. Further technical links have been established through the use of malware like RedLeaves, publicly attributed to APT10, and infrastructure tied to the notorious ShadowPad backdoor.
The most compelling connection, however, is the substantial overlap in victimology, infrastructure, and tooling with a group identified as Red Foxtrot. Previous open-source intelligence reporting has linked Red Foxtrot directly to the Chinese People’s Liberation Army (PLA) Unit 69010, a signal intelligence unit within China’s military. This association provides strong evidence that UAT-7290 is not a rogue entity but rather an operational component of a state-directed cyber program. To aid network defenders, security researchers have provided key ClamAV signatures for detection, including Unix.Dropper.Agent, Unix.Malware.Agent, and Unix.Packed.Agent.
The emergence of UAT-7290 represented a significant evolution in the landscape of cyber espionage, demonstrating a sophisticated model that merged direct intelligence gathering with the broader role of an access facilitator. The group’s activities underscored the growing complexity and collaborative nature of state-sponsored threats, where the lines between distinct adversarial groups became increasingly blurred. Ultimately, the challenge posed by this hybrid actor highlighted the critical need for defenders to adopt a more holistic security posture, one that not only protected against a single point of entry but also recognized how a compromised system could become an unwilling accomplice in a much larger, interconnected campaign.
