UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
UAT-7290 is being assessed as a dual-role China-nexus actor that combines espionage intrusions with initial access activity, expanding the threat ecosystem beyond a single intrusion set. Its possible use of Operational Relay Box (ORB) nodes matters because that infrastructure can be reused by other actors, increasing downstream access scale and resilience. The actor's operations have targeted telecommunications providers and other organizations across South Asia and Southeastern Europe.
Related Happenings
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 Operational Relay Box network-building campaign
Campaign
H score39
First: 08.07.2026 12:04
Last: 08.07.2026 12:04
Sources 1
About this happening:
An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...
UAT-7810 Operational Relay Box network-building campaign
CampaignAbout this happening: An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignAbout this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
H score28
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor Meta
H score31
First: 27.04.2026 11:15
Last: 27.04.2026 11:15
Sources 1
About this happening:
Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor MetaAbout this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
Timeline
-
08.01.2026 16:54 2 articles · 6mo ago
UAT-7290 espionage and ORB activity disclosed
Initial DisclosureResearchers attribute UAT-7290, a China-nexus threat actor active since at least 2022, to espionage-focused intrusions against telecommunications providers and other organizations in South Asia and Southeastern Europe. The actor is described as using extensive reconnaissance, one-day exploits against public-facing edge networking products, and target-specific SSH brute force to gain initial access, then deploying RushDrop, DriveSwitch, SilentRaid, RedLeaves, ShadowPad, and Bulbature while also establishing Operational Relay Box (ORB) nodes that other China-nexus actors may reuse.
Show sources
- China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes — thehackernews.com — 08.01.2026 16:54
- New China-linked hackers breach telcos using edge device exploits — www.bleepingcomputer.com — 09.01.2026 01:39