UAT-7290 Linux malware suite targets edge devices with ORB tooling
Malware Activity
Summary
Hide ▲
Show ▼
UAT-7290 is actively using a Linux-based malware suite to compromise public-facing edge devices and support telco cyber-espionage. The group relies on one-day exploits and target-specific SSH brute force to gain initial access, then uses ORB infrastructure to extend its operational reach. The activity has broadened into Southeastern Europe while remaining focused on telecommunications targets.
Related Happenings
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
DarkSword iPhone exploit chain exploitation wave
Exploitation Wave
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
DarkSword iPhone exploit chain exploitation wave
Exploitation WaveAbout this happening: **DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
Latest development: 02.04.2026 16:30
Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.
UAT-9244 South America telecom targeting campaign
Campaign
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...
UAT-9244 South America telecom targeting campaign
CampaignAbout this happening: UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...
Latest development: 06.03.2026 10:22
The first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware Activity
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware ActivityAbout this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters
Campaign
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...
CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters
CampaignAbout this happening: The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...
Timeline
-
09.01.2026 01:39 2 articles · 4mo ago
Cisco Talos discloses UAT-7290 Linux malware activity
Initial DisclosureCisco Talos publicly details UAT-7290, a China-linked threat actor active since at least 2022 that targets telecommunications providers in South Asia and has broadened operations to organizations in Southeastern Europe. The activity uses one-day exploits and target-specific SSH brute force against public-facing edge devices, then deploys a Linux-based malware suite that includes RushDrop (ChronosRAT), DriveSwitch, SilentRaid (MystRodX), and Bulbature to gain access, maintain persistence, and convert compromised systems into Operational Relay Boxes (ORBs). The disclosure also provides indicators of compromise, including the Bulbature TLS certificate associated with 141 China- and Hong Kong-based hosts.
Show sources
- New China-linked hackers breach telcos using edge device exploits — www.bleepingcomputer.com — 09.01.2026 01:39
- New China-linked hackers breach telcos using edge device exploits — www.bleepingcomputer.com — 09.01.2026 01:39