UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
UAT-7290 is being assessed as a dual-role China-nexus actor that combines espionage intrusions with initial access activity, expanding the threat ecosystem beyond a single intrusion set. Its possible use of Operational Relay Box (ORB) nodes matters because that infrastructure can be reused by other actors, increasing downstream access scale and resilience. The actor's operations have targeted telecommunications providers and other organizations across South Asia and Southeastern Europe.
Related Happenings
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor Meta
First: 27.04.2026 11:15
Last: 27.04.2026 11:15
Sources 1
About this happening:
Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor MetaAbout this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
UAT-10608 Next.js credential-theft campaign
Campaign
First: 05.04.2026 17:17
Last: 05.04.2026 17:17
Sources 1
About this happening:
The **UAT-10608** campaign is rapidly stealing credentials from vulnerable **Next.js** apps after exploitation of **CVE-2025-55182**, exposing cloud accounts and secrets. The oper...
UAT-10608 Next.js credential-theft campaign
CampaignAbout this happening: The **UAT-10608** campaign is rapidly stealing credentials from vulnerable **Next.js** apps after exploitation of **CVE-2025-55182**, exposing cloud accounts and secrets. The oper...
Red Menshen telecom espionage campaign
Campaign
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
DarkSword iPhone exploit chain exploitation wave
Exploitation Wave
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
DarkSword iPhone exploit chain exploitation wave
Exploitation WaveAbout this happening: **DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
Latest development: 02.04.2026 16:30
Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.
Timeline
-
08.01.2026 16:54 2 articles · 4mo ago
UAT-7290 espionage and ORB activity disclosed
Initial DisclosureResearchers attribute UAT-7290, a China-nexus threat actor active since at least 2022, to espionage-focused intrusions against telecommunications providers and other organizations in South Asia and Southeastern Europe. The actor is described as using extensive reconnaissance, one-day exploits against public-facing edge networking products, and target-specific SSH brute force to gain initial access, then deploying RushDrop, DriveSwitch, SilentRaid, RedLeaves, ShadowPad, and Bulbature while also establishing Operational Relay Box (ORB) nodes that other China-nexus actors may reuse.
Show sources
- China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes — thehackernews.com — 08.01.2026 16:54
- New China-linked hackers breach telcos using edge device exploits — www.bleepingcomputer.com — 09.01.2026 01:39