UAT-7290 Conducts Espionage and Initial Access Operations Against Telecommunications Infrastructure
Cisco Talos has disclosed a sophisticated China-nexus threat actor tracked as UAT-7290, assessed with high confidence to be conducting long-term espionage operations against high-value telecommunications providers, primarily in South Asia, with recent expansion into Southeastern Europe. Active since at least 2022, UAT-7290 focuses on compromising critical network infrastructure through extensive pre-intrusion reconnaissance, leveraging one-day vulnerabilities in edge networking devices and target-specific SSH brute-force activity to gain initial access. The actor’s operations indicate a dual mandate: maintaining persistent access for intelligence collection while also establishing Operational Relay Box (ORB) infrastructure that can be repurposed by other China-aligned threat groups. This behavior positions UAT-7290 not only as an espionage actor but also as an initial access facilitator within the broader Chinese APT ecosystem. UAT-7290’s tooling consists of a modular Linux-based malware suite, including the RushDrop dropper, the DriveSwitch execution helper, and the SilentRaid backdoor, along with Bulbature implants that convert compromised devices into ORBs. SilentRaid functions as a multifunctional implant with plugin-based capabilities for remote shell access, file manipulation, port forwarding, credential and certificate harvesting, and C2 communications over resolved domains. Technical overlaps with known China-nexus malware families such as RedLeaves, as well as infrastructure links to Bulbature variants previously disclosed by Sekoia, further reinforce attribution. Talos also identified significant overlap in victimology and tooling with Red Foxtrot, a group previously linked to PLA Unit 69010. Organizations should urgently patch and harden public-facing edge devices, disable password-based SSH in favor of key-based authentication, and monitor for anomalous port forwarding or UDP listener activity indicative of ORB infrastructure.
AuthCodeFix (ConsentFix) Abuses OAuth Authorization Code Flow to Bypass Entra Protections
Researchers have disclosed a novel OAuth-based attack technique, AuthCodeFix (also known as ConsentFix), that abuses legitimate Microsoft Entra authentication flows to steal authorization codes and obtain persistent access tokens. First observed in late December 2025, the attack represents an evolution of earlier ClickFix techniques and relies on user interaction rather than exploitation of a software flaw. Threat actors craft Entra login URIs targeting highly trusted first-party applications, such as Microsoft Azure CLI or Azure PowerShell, which already possess broad pre-consented permissions. When a victim authenticates, Entra redirects the browser to a localhost reply URI containing a valid authorization code. Because no local application is listening, the browser errors, but still exposes the full redirect URI, which attackers socially engineer victims into copying, dragging, or otherwise providing. Once obtained, the authorization code can be redeemed within its short validity window to mint access and refresh tokens, effectively granting attackers control over Azure Resource Manager or Microsoft Graph without triggering traditional Conditional Access enforcement. From a defensive perspective, ConsentFix is particularly dangerous because it exploits expected OAuth behavior rather than anomalous sign-in patterns. Detection hinges on correlating interactive and non-interactive sign-in events that share the same SessionId, ApplicationId, and UserId but originate from different IP addresses within a short time window. While Unique Token Identifiers cannot reliably link events, temporal correlation and application targeting provide strong signals, especially when the second token redemption occurs minutes after the initial user sign-in rather than seconds, as seen in legitimate automation. The technique impacts numerous high-privilege Microsoft first-party applications that allow localhost redirect URIs by design, significantly broadening the attack surface. Effective mitigation requires reducing exposure to these apps through user assignment or Conditional Access scoping, enforcing token protection with broker-based proof-of-possession where supported, and monitoring for browser-initiated authorization code redemptions that deviate from expected CLI or WAM-based authentication flows.
Update: Kimsuky Adopts QR Code–Based Spearphishing to Bypass Enterprise Email and MFA Controls
The FBI has warned of an evolving spearphishing tactic used by North Korean state-sponsored actors tracked as Kimsuky, who are increasingly leveraging malicious QR codes in targeted campaigns against U.S. and foreign policy-focused organizations. Since at least May 2025, Kimsuky has targeted think tanks, academic institutions, NGOs, and government-affiliated entities with emails impersonating trusted advisors, embassy staff, and internal colleagues. Rather than embedding clickable URLs, these messages contain QR codes that prompt victims to pivot from managed corporate endpoints to personal or unmanaged mobile devices. This technique, known as quishing, evades traditional email security controls such as URL inspection, sandboxing, and link rewriting, while exploiting user trust in mobile workflows. Campaign themes have included questionnaires, secure document access, conference invitations, and policy consultations related to the Korean Peninsula, closely aligning with Kimsuky’s long-standing intelligence-collection priorities. Once scanned, the QR codes redirect victims through attacker-controlled infrastructure that performs device and identity fingerprinting before selectively serving mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, Google, or VPN portals. Successful credential capture often culminates in session token theft and replay, enabling adversaries to bypass multi-factor authentication and hijack cloud identities without triggering conventional MFA failure alerts. Kimsuky actors have then been observed establishing persistence within compromised environments and conducting follow-on spearphishing from trusted internal mailboxes, expanding access laterally. The FBI emphasizes the need for layered defenses, including user education on QR-based social engineering, mobile device management and URL inspection, phishing-resistant MFA, and enhanced monitoring for anomalous post-authentication behavior linked to mobile-originated access.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
