Article Details
Scrape Timestamp (UTC): 2026-01-08 23:43:56.563
Original Article Text
Click to Toggle View
New China-linked hackers breach telcos using edge device exploits. A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe. Tracked internally by Cisco Talos as UAT-7290, the actor shows strong China nexus indicators and typically focuses on telcos in South Asia in cyber-espionage operations. Active since at least 2022, the UAT-7290 group also serves as an initial access group by establishing an Operational Relay Box (ORB) infrastructure during the attacks, which is then utilized by other China-aligned threat actors. According to the researchers, the hackers conduct extensive reconnaissance before a breach and deploy a mix of custom and open-source malware and public exploits for known flaws in edge network devices. "UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems," Cisco Talos says in a report today. UAT-7290 arsenal UAT-7290 primarily uses a Linux-based malware suite, with occasional deployments of Windows implants such as RedLeaves and ShadowPad, which are widely shared among multiple China-nexus actors. Cisco highlights the following Linux malware families, linking them to UAT-7290: The Bulbature TLS certificate, which is the same as the one Sekoia documented previously, is found on 141 China- and Hong Kong-based hosts, whose IPs have been associated with other malware families such as SuperShell, GobRAT, and Cobalt Strike beacons. Cisco Talos' report provides technical details about the malware used by UAT-7290, along with a list of indicators of compromise to help organizations defend against this threat actor. 7 Security Best Practices for MCP As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe. This free cheat sheet outlines 7 best practices you can start using today.
Daily Brief Summary
Cisco Talos has identified UAT-7290, a China-linked group, targeting telecommunications providers in Southeastern Europe with sophisticated Linux-based malware.
The group, active since at least 2022, primarily focuses on cyber-espionage against South Asian telcos, expanding its reach and operational scope.
UAT-7290 establishes an Operational Relay Box infrastructure, facilitating access for other China-aligned threat actors, indicating a coordinated effort.
The attackers employ a combination of custom and open-source malware, leveraging known vulnerabilities in edge network devices for initial access.
Techniques include one-day exploits and SSH brute force attacks to compromise and escalate privileges on public-facing edge devices.
The malware suite includes Linux-based tools and occasionally Windows implants like RedLeaves and ShadowPad, shared among China-nexus actors.
Cisco Talos provides detailed technical insights and indicators of compromise to aid organizations in defending against UAT-7290's activities.