RushDrop
RushDrop, also known as ChronosRAT, is a Linux malware component used by the China-nexus threat actor UAT-7290 in espionage-focused intrusions. Cisco Talos describes it as the initial dropper that starts a staged infection chain targeting primarily telecommunications providers and other critical infrastructure entities in South Asia, with more recent activity extending into Southeastern Europe. UAT-7290 is reported to gain access through exploitation of public-facing edge networking devices using one-day vulnerabilities and target-specific SSH brute-force attacks.
RushDrop performs anti-analysis or anti-VM checks and may delete itself if those checks fail. When execution proceeds, it creates or verifies a hidden .pkgdb directory on the compromised Linux system and decodes or drops embedded binaries into that directory, including daytime, chargen, and busybox. The daytime component is associated with DriveSwitch, which helps execute the next-stage payload, while chargen corresponds to the SilentRaid implant, the primary persistence backdoor in the intrusion chain. BusyBox, a legitimate Linux utility, is abused for command execution.
The content consistently places RushDrop within a broader Linux malware suite used by UAT-7290 alongside DriveSwitch and SilentRaid. In this role, RushDrop functions as the infection initiator rather than the main persistence implant. Some cited reporting also refers to ChronosRAT as a modular Linux RAT with AES-encrypted TCP command-and-control, dynamic RSA key updates, and capabilities including remote shell, keylogging, screenshots, port forwarding, file management, SOCKS proxying, and watchdog-based persistence; however, the most consistently supported characterization in the provided content is that RushDrop/ChronosRAT serves as the initial dropper in the UAT-7290 infection chain.
High-confidence indicators and artifacts directly associated in the content include the hidden .pkgdb directory; dropped filenames daytime, chargen, and busybox; and published SHA-256 indicators 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200, 59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596, and 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d. Cisco Talos states that ClamAV signatures Unix.Dropper.Agent, Unix.Malware.Agent, and Unix.Packed.Agent, as well as Snort SID 65124, detect this threat.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.
ChronosRAT: A modular Linux RAT that ensures persistence via a watchdog process. It includes AES-encrypted TCP C2, dynamic RSA key updates, and modules for remote shell, keylogging, screenshots, port forwarding, file management, and SOCKS proxy.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesT1587: Develop Capabilities – UAT-7290 custom telecommunications malware development
Once inside, they deploy a diverse arsenal of tools, including custom Linux malware variants such as RushDrop, DriveSwitch, and SilentRaid (the primary implant for persistence).
Initial Access
3 techniquesUAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...
UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.
Execution
1 techniqueSilentRaid (aka MystRodX), a C++-based implant that establishes persistent access to compromised endpoints and employs a plugin-like approach to communicate with an external server, open a remote shell
Persistence
4 techniquesUAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...
UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
T1543: Create or Modify System Process – Telecommunications system persistence establishment
Privilege Escalation
4 techniquesChronosRAT, a modular ELF binary that's capable of shellcode execution
UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...
T1543: Create or Modify System Process – Telecommunications system persistence establishment
Stealth
9 techniquesT1027: Obfuscated Files or Information – UAT-7290 malware obfuscation
T1027.002: Software Packing – Packed telecommunications malware
ChronosRAT, a modular ELF binary that's capable of shellcode execution
UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...
T1140: Deobfuscate/Decode Files or Information – Runtime malware unpacking
The telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.
T1497.001: System Checks – Environment detection in telecommunications systems
T1564: Hide Artifacts – Concealment of telecommunications compromise
T1564.001: Hidden Files and Directories – Hidden malware on telecommunications devices
Credential Access
2 techniquesChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.
UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
Discovery
3 techniquesChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.
Lateral Movement
1 techniqueUAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
Collection
2 techniquesChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.
ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.
Command and Control
3 techniquesChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.
SilentRaid (aka MystRodX) ... open a remote shell, set up port forwarding, and perform file operations
RushDrop then decodes and drops three binaries to the “.pkgdb” folder: “daytime” ... tracked as DriveSwitch. “chargen” ... tracked as SilentRaid. “busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family deployed in espionage-focused intrusions attributed to UAT-7290; details not provided in excerpt.
A malware family referenced as being used in espionage-focused intrusions by UAT-7290.
A specialized Linux-based dropper used by UAT-7290 on telecommunications edge devices. It performs anti-analysis checks and deploys additional malware components including DriveSwitch and SilentRaid.
A Linux dropper used at the start of a staged infection chain; it creates a hidden .pkgdb directory and deploys subsequent payload stages.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.