At least one organization in Southeastern Europe
January 8, 2026
•[ cyber espionage, vulnerability exploitation, SSH brute force ]
BleepingComputer reported on Cisco Talos research describing a sophisticated China-nexus actor tracked as UAT-7290 targeting telecommunications providers, historically in South Asia and recently expanded into Southeastern Europe. The group was described as conducting extensive reconnaissance and using one-day exploits plus target-specific SSH brute force to compromise public-facing edge devices for initial access and privilege escalation. Talos reported the actor deploys a primarily Linux-based malware suite (with occasional Windows implants) and establishes Operational Relay Box (ORB) infrastructure that can be used by other China-aligned threat actors. The report is campaign-level and does not enumerate a single named victim breach event date.
