blog.talosintelligence.com/uat-7290/
Cisco Talos has disclosed a sophisticated threat actor tracked as UAT-7290, which has been active since at least 2022.
UAT-7290 is assessed to be responsible for gaining initial access and conducting espionage-focused intrusions against critical infrastructure entities in South Asia.
The group’s toolkit includes a malware family comprising implants referred to as RushDrop, DriveSwitch, and SilentRaid.
Cisco Talos’ findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations prior to executing intrusions.
Researchers observed technical indicators overlapping with RedLeaves, a malware family attributed to APT10 (also known as MenuPass, POTASSIUM, and Purple Typhoon), as well as infrastructure associated with ShadowPad, a malware family used by multiple China-nexus threat actors. In addition, UAT-7290 shares significant overlap in victimology, infrastructure, and tooling with a group publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot to Chinese People’s Liberation Army Unit 69010.
