UAT-7290 long-running telecom espionage campaign
Campaign
Summary
Hide ▲
Show ▼
UAT-7290 is running a long-running cyber-espionage campaign against telecommunications providers in South Asia, with recent expansion into Southeastern Europe. The operation matters because it seeks deep, persistent access to strategically significant networks. The group targets public-facing edge devices using one-day vulnerabilities and target-specific SSH brute-force. It has also built Operational Relay Box (ORB) infrastructure to turn compromised systems into relay nodes for other China-nexus actors.
Related Happenings
China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations
Campaign
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...
China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations
CampaignAbout this happening: A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
Campaign
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
CampaignAbout this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
DarkSword iPhone exploit chain exploitation wave
Exploitation Wave
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
DarkSword iPhone exploit chain exploitation wave
Exploitation WaveAbout this happening: **DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
Latest development: 02.04.2026 16:30
Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.
Timeline
-
08.01.2026 18:00 2 articles · 4mo ago
UAT-7290 telecom espionage campaign disclosed
Initial DisclosureCisco Talos disclosed a long-running cyber-espionage campaign by UAT-7290 against telecommunications providers in South Asia, with recent expansion into Southeastern Europe. The activity targets high-value telecommunications infrastructure, focuses on gaining deep persistent access, and primarily compromises public-facing edge devices by exploiting one-day vulnerabilities in widely deployed networking products and using target-specific SSH brute-force techniques. The group also established Operational Relay Box (ORB) infrastructure to convert compromised systems into relay nodes for other China-nexus groups, and its tooling includes RushDrop, DriveSwitch, SilentRaid, and Bulbature.
Show sources
- China-Linked UAT-7290 Targets Telecom Networks in South Asia — www.infosecurity-magazine.com — 08.01.2026 18:00
- New China-linked hackers breach telcos using edge device exploits — www.bleepingcomputer.com — 09.01.2026 01:39