China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

The threat actor UAT-7290, attributed to China, has been conducting espionage against telecom providers in South Asia and Southeastern Europe since at least 2022, leveraging both open-source and custom malware. Their activity demonstrates a sophisticated, multi-stage attack chain culminating in persistent access and potential use as an initial access provider for other groups.

Why This Matters

Real-world attacks often deviate from idealized security models, and the reliance on publicly available exploits by UAT-7290 underscores this gap. Telecom networks are critical infrastructure, and successful breaches can lead to widespread service disruption and data exfiltration, incurring costs estimated in the millions of dollars per incident—the average data breach cost in 2023 was $4.45 million according to IBM.

Key Insights

• RushDrop/ChronosRAT malware: Used as the initial infection dropper, commencing the attack chain (Cisco Talos, 2026).
• ORB Infrastructure: Establishing Operational Relay Boxes (ORBs) allows UAT-7290 to act as an initial access point for other China-nexus actors.
• Exploit Reliance: The threat actor preferentially utilizes publicly available proof-of-concept exploit code, reducing development time and cost.

Working Example

(Silently omitted, as no code examples were provided in context)

Practical Applications

• Use Case: Telecom providers in South Asia experiencing targeted reconnaissance and malware deployment, indicating potential espionage.
• Pitfall: Over-reliance on vendor-supplied security mitigations without proactive threat hunting for indicators of compromise (IOCs) associated with UAT-7290 tooling.

References:

• https://thehackernews.com/2026/01/china-linked-uat-7290-targets-telecoms.html