A dangerous hacking group known as UAT-7290 has been actively attacking important telecommunications companies and critical infrastructure targets across South Asia since at least 2022.
This advanced threat actor operates with clear signs of Chinese government connections and poses a serious risk to vital communication networks in the region.
The group’s recent expansion into Southeastern Europe shows their growing reach and ambition.
Cisco Talos analysts and researchers identified that UAT-7290 employs a calculated approach to break into targeted systems. The group starts with careful planning and technical reconnaissance to understand their targets before launching attacks.
.webp "UAT-7290 Hackers Attacking Critical Infrastructure Entities in South Asia 2")
They use a mix of different attack methods, including exploiting known security weaknesses and using brute force attacks on systems that face the internet.
The group also functions as an initial access provider, meaning they compromise systems that other hacking groups can later use for their own operations.
UAT-7290’s toolkit includes sophisticated malware designed to work on Linux systems, which powers many edge networking devices.
The malware families tracked by Cisco Talos include RushDrop, a dropper that starts the infection process; DriveSwitch, which helps execute the main malicious software; and SilentRaid, the central program that maintains ongoing access.
These tools show the group’s technical sophistication and their focus on gaining deep control over compromised networks.
Infection process
The infection process reveals the group’s technical expertise. When RushDrop runs on a system, it first checks whether it is operating on a real computer or a test environment to avoid detection.
If the checks pass, RushDrop creates a hidden folder named “.pkgdb” and unpacks three components into this location.
.webp "UAT-7290 Hackers Attacking Critical Infrastructure Entities in South Asia 4")
The process includes extracting “chargen,” which is the SilentRaid implant, along with “busybox,” a legitimate Linux tool that can execute commands on the system.
This step-by-step approach shows how the attackers hide their tools and maintain control without raising immediate suspicion.
SilentRaid operates using a modular plugin system that gives attackers multiple capabilities. The malware can open remote shells, forward internet ports, and manage files on infected systems.
When SilentRaid starts, it communicates with its control server using a domain name and Google’s public DNS service (8.8.8.8) to find the server’s address.
This communication method helps the malware hide its activities within normal-looking internet traffic, making detection harder for network defenders.
The plugin system allows the attackers to mix and match different tools during compilation, giving them flexibility to customize their attacks for each target.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
