China-Linked Hackers Deploy Custom Linux Malware Against Telecoms in Espionage Campaign

A newly attributed China-nexus threat actor designated UAT-7290 has been conducting espionage operations against telecommunications providers in South Asia and organizations in Southeastern Europe since at least 2022.

According to research published recently by Cisco Talos, the group employs a sophisticated multi-stage attack chain combining open-source tools, custom malware, and exploits for recently patched vulnerabilities in edge networking devices.

Dual-Purpose Operations

What makes UAT-7290 particularly notable is its dual role in the Chinese threat ecosystem. Beyond traditional espionage, the group establishes Operational Relay Box (ORB) nodes on compromised infrastructure—proxy networks that other China-aligned actors can leverage for their own operations.

"Their tactics, techniques, and procedures and tooling suggest that this actor also establishes ORB nodes," Cisco Talos researchers stated. "The ORB infrastructure may then be used by other China-nexus actors in their malicious operations."

Custom Linux Malware Suite

UAT-7290 primarily deploys a Linux-based toolkit consisting of three core components:

The group also utilizes well-known Chinese APT tools including RedLeaves and ShadowPad on Windows targets, along with Bulbature—a backdoor specifically designed to convert compromised edge devices into ORB nodes.

Initial Access Tactics

Rather than developing custom exploits, UAT-7290 relies on publicly available proof-of-concept code for one-day vulnerabilities in edge devices. The group conducts extensive reconnaissance before attacks and uses SSH brute-forcing against public-facing infrastructure.

Attribution Links

Cisco Talos identified tactical and infrastructure overlaps with established Chinese threat actors Stone Panda and RedFoxtrot (also tracked as Nomad Panda). Palo Alto Networks Unit 42 tracks related activity as CL-STA-0969.

Tags: APT, China, UAT-7290, Espionage, Telecommunications, Linux Malware