China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe. UAT-7290 primarily targets telecom providers, it conducts espionage by deeply embedding in victim networks and also operates Operational Relay Box (ORB) infrastructure later reused by other China-nexus actors, suggesting a dual role as both espionage and initial-access provider. The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices, favoring Linux malware but also deploying Windows implants like RedLeaves and ShadowPad. Attacks are preceded by extensive reconnaissance and rely on PoC exploits and SSH brute force. Its TTPs, infrastructure, and victimology overlap with known China-aligned groups such as APT10 and Red Foxtrot, linked to PLA Unit 69010.
China-linked UAT-7290 spies on telco in South Asia and Europe using modular malware
