{
  "name": "Targets high value telecommunications infrastructure in South Asia",
  "slug": "targets-high-value-telecommunications-infrastructure-in-south-asia",
  "description": "UAT-7290, a sophisticated threat actor active since 2022, is targeting critical infrastructure entities in South Asia, particularly telecommunications providers. The group's arsenal includes malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 conducts extensive reconnaissance before intrusions, using one-day exploits and SSH brute force to compromise edge devices. The actor is believed to be a China-nexus APT, sharing similarities with APT10 and other known Chinese threat groups. UAT-7290 has recently expanded its targeting to Southeastern Europe and may establish Operational Relay Boxes for other China-nexus actors. Their malware suite primarily focuses on Linux systems but can also utilize Windows-based implants.",
  "published": "2026-01-08T15:30:51+00:00",
  "created_at": "2026-01-08T15:30:51+00:00",
  "modified_at": "2026-01-08T17:02:10+00:00",
  "created_at_opencti": "2026-01-08T15:30:51+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-08",
    "bulbature",
    "china-nexus",
    "driveswitch",
    "espionage",
    "redleaves",
    "rushdrop",
    "shadowpad",
    "silentraid",
    "telecommunications"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "918fb8af4998393f5195bafaead7c9ba28d8f9fb0853d5c2d75f10e35be8015a"
      },
      {
        "id": "",
        "name": "723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200"
      },
      {
        "id": "",
        "name": "961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d"
      }
    ],
    "malware": [
      {
        "id": "28d9f1aa-9a2a-4ed7-93ff-6690ce171bbb",
        "name": "RushDrop",
        "slug": "rushdrop"
      },
      {
        "id": "legacy:malware:9446bcde9eb2125b",
        "name": "ShadowPad",
        "slug": "shadowpad"
      },
      {
        "id": "992fc45d-f763-4617-935a-ceec7ce8f2d5",
        "name": "RedLeaves",
        "slug": "redleaves"
      },
      {
        "id": "1ace8ccb-42c9-414e-af8e-934a28474193",
        "name": "Bulbature",
        "slug": "bulbature"
      },
      {
        "id": "264d8fe8-2d88-4d27-8d7c-17ced4d2fdc2",
        "name": "DriveSwitch",
        "slug": "driveswitch"
      },
      {
        "id": "6eb1e541-4ae8-42dd-87c4-197534c82ca3",
        "name": "ShadowPad - S0596",
        "slug": "shadowpad-s0596"
      },
      {
        "id": "869b574e-16a2-4c7b-a12e-03b8c8f78b9f",
        "name": "RedLeaves - S0153",
        "slug": "redleaves-s0153"
      },
      {
        "id": "f417564b-4faf-403a-a2d0-88e057624c0d",
        "name": "SilentRaid",
        "slug": "silentraid"
      }
    ],
    "intrusion_sets": [
      {
        "id": "594c836b-f7d7-429b-b11a-163e2ff53cbb",
        "name": "UAT-7290",
        "slug": "uat-7290"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Telecommunications"
      }
    ]
  },
  "external_refs": [
    "https://blog.talosintelligence.com/uat-7290/",
    "https://otx.alienvault.com/pulse/695fdbbb0807269153b514aa"
  ]
}