UAT-7290 targets high value telecommunications infrastructure in South Asia

Ruslan Mikhalov Chief of Threat Research at SOC Prime

UAT-7290 targets high value telecommunications infrastructure in South Asia

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

UAT-7290 is a China-linked advanced persistent threat group assessed to be active since at least 2022. It prioritizes initial access to edge networking devices and runs espionage-focused intrusions against telecommunications providers in South Asia, with more recent activity extending into Southeast Europe. The group’s toolset spans Linux implants—RushDrop, DriveSwitch, SilentRaid, and Bulbature—and Windows payloads such as RedLeaves and ShadowPad. UAT-7290 also maintains Operational Relay Box (ORB) infrastructure that can be repurposed to relay traffic for other threat actors.

Investigation

Cisco Talos analyzed relevant samples and documented a staged Linux infection chain that begins with the RushDrop dropper creating a concealed .pkgdb directory. Subsequent stages deploy DriveSwitch and then the primary implant SilentRaid. These components use DNS resolution through public resolvers to reach command-and-control and support capabilities such as command execution, file management, and reverse shell establishment. Bulbature functions as an ORB node, listening on configurable ports and using a recurring self-signed certificate that Talos noted across numerous Chinese-hosted systems.

Mitigation

Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities. Monitor for anomalous DNS behavior—especially unexpected queries routed to public resolvers—along with unusual BusyBox command usage and the appearance of unfamiliar binaries within hidden directories. Where applicable, deploy endpoint and network protections capable of detecting the referenced ClamAV signatures and Snort SID 65124, and ensure alerting is wired to SOC workflows.

Response

If suspicious activity is identified, isolate the affected device, capture volatile memory and disk images, and immediately block any confirmed C2 domains or IP addresses. Perform targeted forensics on the .pkgdb directory, /tmp configuration artifacts, and any evidence of spawned reverse shells. Reset compromised credentials, rotate SSH keys, and validate that no ORB nodes remain operational inside the environment.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffe699 classDef malware fill:#ffcccc classDef operator fill:#ff9900 %% Reconnaissance phase phase_recon["Phase – Reconnaissance"] class phase_recon action tech_active_scanning["Technique – T1595 Active Scanning Description: Identify services, versions, and configurations of target infrastructure."] class tech_active_scanning action tech_search_closed_sources["Technique – T1597.001 Search Closed Sources Description: Gather intelligence from vendor reports and other nonu2011public sources."] class tech_search_closed_sources action %% Initial Access phase phase_initial["Phase – Initial Access"] class phase_initial action tech_exploit_public_facing["Technique – T1190 Exploit Publicu2011Facing Application Description: Use vulnerabilities in internetu2011exposed devices to gain a foothold."] class tech_exploit_public_facing action tech_ssh_remote["Technique – T1021.004 Remote Services (SSH) Description: Access target devices over SSH."] class tech_ssh_remote action tech_ssh_hijack["Technique – T1563.001 Remote Service Session Hijacking Description: Hijack existing SSH sessions to bypass authentication."] class tech_ssh_hijack action tool_bruteforce["Tool – Name: SSH Bruteforce Script Description: Attempts credential guessing on SSH services."] class tool_bruteforce tool %% Execution & Defense Evasion phase phase_exec["Phase – Execution & Defense Evasion"] class phase_exec action tech_vm_evasion["Technique – T1497 Virtualization/Sandbox Evasion Description: Detects analysis environments and modifies behavior."] class tech_vm_evasion action tech_unix_shell["Technique – T1059.004 Command and Scripting Interpreter: Unix Shell Description: Executes commands via /bin/sh or busybox."] class tech_unix_shell action tech_obfuscation["Technique – T1027 Obfuscated Files or Information Description: Uses packing or encoding to hide malicious code."] class tech_obfuscation action tech_data_obfuscation["Technique – T1001 Data Obfuscation Description: Alters data to avoid detection."] class tech_data_obfuscation action tech_masquerade["Technique – T1036.008 Masquerading: Masquerade File Type Description: Renames binaries to appear as legitimate files."] class tech_masquerade action malware_rushdrop["Malware – Name: RushDrop Description: Payload delivered after exploitation, compressed with UPX."] class malware_rushdrop malware malware_driveswitch["Malware – Name: DriveSwitch Description: Uses busybox for command execution."] class malware_driveswitch malware %% Privilege Escalation phase phase_priv_esc["Phase – Privilege Escalation"] class phase_priv_esc action tech_exploit_priv["Technique – T1068 Exploitation for Privilege Escalation Description: Leverages vulnerable components to gain higher rights."] class tech_exploit_priv action tech_abuse_elevation["Technique – T1548 Abuse Elevation Control Mechanism Description: Manipulates mechanisms that grant elevated privileges."] class tech_abuse_elevation action %% Credential Access & Discovery phase phase_cred_disc["Phase – Credential Access & Discovery"] class phase_cred_disc action tech_credential_dump["Technique – T1003.008 OS Credential Dumping Description: Reads /etc/passwd and /etc/shadow for passwords."] class tech_credential_dump action tech_system_info["Technique – T1082 System Information Discovery Description: Collects hostname, OS version, and hardware details."] class tech_system_info action tech_software_collect["Technique – T1592.002 Gather Victim Host Information: Software Description: Enumerates installed software packages."] class tech_software_collect action tech_hardware_collect["Technique – T1592.001 Gather Victim Host Information: Hardware Description: Retrieves CPU, memory, and device data."] class tech_hardware_collect action %% Lateral Movement phase phase_lateral["Phase – Lateral Movement"] class phase_lateral action tech_internal_proxy["Technique – T1090.001 Proxy: Internal Proxy Description: Relays traffic through compromised internal hosts."] class tech_internal_proxy action tech_external_proxy["Technique – T1090.002 Proxy: External Proxy Description: Uses external proxy services to hide origin."] class tech_external_proxy action tech_protocol_tunnel["Technique – T1572 Protocol Tunneling Description: Encapsulates traffic within allowed protocols."] class tech_protocol_tunnel action tech_nonstandard_port["Technique – T1571 Nonu2011Standard Port Description: Communicates over uncommon ports to evade detection."] class tech_nonstandard_port action %% Command & Control phase phase_c2["Phase – Command & Control"] class phase_c2 action tech_dead_drop["Technique – T1102.001 Web Service: Dead Drop Resolver Description: Resolves C2 domains via public DNS queries."] class tech_dead_drop action tech_one_way["Technique – T1102.003 Web Service: Oneu2011Way Communication Description: Sends data to C2 over DNS without receiving responses."] class tech_one_way action tech_data_encoding["Technique – T1132 Data Encoding Description: Encodes command results before transmission."] class tech_data_encoding action %% Connections phase_recon –>|uses| tech_active_scanning phase_recon –>|uses| tech_search_closed_sources phase_initial –>|leverages| tech_exploit_public_facing phase_initial –>|leverages| tech_ssh_remote phase_initial –>|leverages| tech_ssh_hijack phase_initial –>|uses| tool_bruteforce phase_exec –>|employs| tech_vm_evasion phase_exec –>|executes| tech_unix_shell phase_exec –>|applies| tech_obfuscation phase_exec –>|applies| tech_data_obfuscation phase_exec –>|applies| tech_masquerade phase_exec –>|delivers| malware_rushdrop phase_exec –>|delivers| malware_driveswitch phase_priv_esc –>|uses| tech_exploit_priv phase_priv_esc –>|uses| tech_abuse_elevation phase_cred_disc –>|performs| tech_credential_dump phase_cred_disc –>|performs| tech_system_info phase_cred_disc –>|performs| tech_software_collect phase_cred_disc –>|performs| tech_hardware_collect phase_lateral –>|establishes| tech_internal_proxy phase_lateral –>|establishes| tech_external_proxy phase_lateral –>|utilizes| tech_protocol_tunnel phase_lateral –>|utilizes| tech_nonstandard_port phase_c2 –>|resolves| tech_dead_drop phase_c2 –>|transmits| tech_one_way phase_c2 –>|encodes| tech_data_encoding "

Attack Flow

Attack Narrative & Commands:
1. Initial Dropper Execution (T1480.002):
  The attacker executes the RushDrop binary, which, as part of its payload, creates a hidden directory named .pkgdb in the current working directory.
```
./RushDrop --install .pkgdb
```
2. Privileged Component Launch (T1569):
  The dropper then spawns SilentRaid with a plugins argument to load malicious modules that establish persistence via system services.
```
sudo ./SilentRaid --load plugins
```
3. Network Discovery (T1016.001):
  Finally, the malware collects routing information to map the internal network:
```
cat /proc/net/route
```
When these three command‑line fragments appear together (or the first two together and the third as an alternative), the Sigma rule condition evaluates to true, generating an alert.

Regression Test Script:

#!/usr/bin/env bash
#
# UAT‑7290 detection validation script
# Simulates the exact command‑line patterns required by the Sigma rule.
#
set -euo pipefail

# 1. Create a temporary working directory
WORKDIR=$(mktemp -d)
cd "$WORKDIR"

# 2. Simulate RushDrop binary
echo -e '#!/usr/bin/env bashnecho "RushDrop executed"' > RushDrop
chmod +x RushDrop

# 3. Execute RushDrop with the .pkgdb argument (creates the folder)
./RushDrop --install .pkgdb
mkdir -p .pkgdb   # mimic dropper behavior

# 4. Simulate SilentRaid binary
echo -e '#!/usr/bin/env bashnecho "SilentRaid loaded plugins"' > SilentRaid
chmod +x SilentRaid

# 5. Execute SilentRaid with plugins argument (requires sudo for realism)
sudo ./SilentRaid --load plugins

# 6. Network discovery command
cat /proc/net/route

# 7. Clean up (optional – keep for manual inspection if needed)
# rm -rf "$WORKDIR"

Cleanup Commands:

# Remove temporary directory and any artifacts created during the test
sudo rm -rf "$WORKDIR"
# Flush auditd queue to ensure no residual events remain
sudo auditctl -D
# Restart auditd to restore default rules
sudo systemctl restart auditd

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.