Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 32
2 unique sources, 2 articles

Summary

Hide ▲

UAT-7290 is being assessed as a dual-role China-nexus actor that combines espionage intrusions with initial access activity, expanding the threat ecosystem beyond a single intrusion set. Its possible use of Operational Relay Box (ORB) nodes matters because that infrastructure can be reused by other actors, increasing downstream access scale and resilience. The actor's operations have targeted telecommunications providers and other organizations across South Asia and Southeastern Europe.

Related Happenings

UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure

Threat Actor Meta
H score29 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...

UAT-7810 Operational Relay Box network-building campaign

Campaign
H score39 First: 08.07.2026 12:04 Last: 08.07.2026 12:04 Sources 1

About this happening: An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...

CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT

Campaign
H score18 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
H score28 First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

CL-CRI-1116 / BlackFile overlap with The Com

Threat Actor Meta
H score31 First: 27.04.2026 11:15 Last: 27.04.2026 11:15 Sources 1

About this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...

Timeline

  1. 08.01.2026 16:54 2 articles · 6mo ago

    UAT-7290 espionage and ORB activity disclosed

    Initial Disclosure

    Researchers attribute UAT-7290, a China-nexus threat actor active since at least 2022, to espionage-focused intrusions against telecommunications providers and other organizations in South Asia and Southeastern Europe. The actor is described as using extensive reconnaissance, one-day exploits against public-facing edge networking products, and target-specific SSH brute force to gain initial access, then deploying RushDrop, DriveSwitch, SilentRaid, RedLeaves, ShadowPad, and Bulbature while also establishing Operational Relay Box (ORB) nodes that other China-nexus actors may reuse.

    Show sources