SilentRaid
SilentRaid, also known as MystRodX, is a C++-based Linux backdoor and the primary persistent implant used in UAT-7290 intrusions. It is deployed in a staged infection chain alongside RushDrop and DriveSwitch, with reporting indicating RushDrop creates a hidden .pkgdb directory and drops components including daytime, chargen, and busybox; SilentRaid is described as the main implant used to maintain long-term access on compromised systems. The malware communicates with command-and-control infrastructure, including by resolving C2 domains through public DNS resolvers such as Google Public DNS (8.8.8.8), and executes attacker-defined tasks through a modular or plugin-based architecture.
Documented capabilities include remote shell or reverse shell access, command execution, port forwarding, file and socket management, and file operations. Reporting also states it can archive directories with tar, access /etc/passwd, parse or collect X.509 certificate attributes, and collect credential-related data or steal credentials from telecommunications systems. MystRodX-specific reporting further describes configurable TCP or HTTP C2 communications, optional AES-encrypted traffic, layered encryption for configuration and payload elements, and a passive wake-up mode using raw sockets that can be triggered by specially crafted DNS or ICMP packets for stealthy activation.
SilentRaid is associated with the China-linked threat actor UAT-7290, which Cisco Talos assessed as active since at least 2022 and focused on espionage-oriented compromises of public-facing edge devices. The actor primarily targets telecommunications providers and other critical infrastructure in South Asia, with more recent activity extending into Southeastern Europe. SilentRaid is repeatedly described as central to persistence on compromised telecommunications and edge-networking infrastructure. High-confidence indicators and related details mentioned in the content include use of the hidden .pkgdb directory, dropped component names daytime, chargen, and busybox, DNS-based C2 resolution via 8.8.8.8, and published SHA-256 indicators associated with the broader malware set: 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200, 59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596, and 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SilentRaid establishes persistent command-and-control access to telecommunications infrastructure, enabling remote shell execution, port forwarding, file manipulation, and credential theft from telecommunications systems.
SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access ... plugin-like approach to communicate with an external server, open a remote shell, set up port forwarding, and perform file operations
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesT1587: Develop Capabilities – UAT-7290 custom telecommunications malware development
Once inside, they deploy a diverse arsenal of tools, including custom Linux malware variants such as RushDrop, DriveSwitch, and SilentRaid (the primary implant for persistence).
Initial Access
2 techniquesUAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.
Execution
2 techniques...support capabilities such as command execution, file management, and reverse shell establishment... any evidence of spawned reverse shells. | ...support capabilities such as command execution... Monitor for anomalous DNS behavior... along with unusual BusyBox command usage...
Plugin:my_rsh This plugin opens a remote shell by executing “sh” either via either “busybox” or “/bin/sh”. This remote shell is then used to run arbitrary commands on the infected system.
Persistence
2 techniquesUAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
Privilege Escalation
1 techniqueStealth
6 techniquesT1027: Obfuscated Files or Information – UAT-7290 malware obfuscation
T1027.002: Software Packing – Packed telecommunications malware
Remove a file or directory using the “rm” command - via busybox
T1140: Deobfuscate/Decode Files or Information – Runtime malware unpacking
T1564: Hide Artifacts – Concealment of telecommunications compromise
T1564.001: Hidden Files and Directories – Hidden malware on telecommunications devices
Credential Access
3 techniquesUAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
SilentRaid establishes persistent command-and-control access to telecommunications infrastructure, enabling remote shell execution, port forwarding, file manipulation, and credential theft from telecommunications systems.
T1552.001: Credentials In Files – Harvesting telecommunications configuration credentials
Discovery
3 techniquesT1016: System Network Configuration Discovery – Telecommunications network mapping
T1082: System Information Discovery – Telecommunications system enumeration
Plugin:my_file_mgr This is the file manager of the backdoor. It allows the SilentRaid to: Read contents of “/etc/passwd” ... Check if a file is accessible ... Read/write a specified file
Lateral Movement
1 techniqueUAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.
Collection
1 techniqueT1005: Data from Local System – Intelligence collection from telecommunications infrastructure
Command and Control
12 techniquesSilentRaid communicates with its C2 server, usually in the form of a domain and can carry out action as instructed by the C2.
T1071.001: Web Protocols – HTTP/HTTPS C2 channels
Plugin: my_socks_mgr This plugin handles communication to C2 server. It obtains the C2 IP by resolving a domain using “8[.]8[.]8[.]8” and passes commands received from the C2 to the appropriate plugin.
SilentRaid operates using a modular plugin system that gives attackers multiple capabilities. The malware can open remote shells, forward internet ports, and manage files on infected systems.
These plugins enable remote shells, file access, port forwarding, command execution, and data collection
RushDrop then decodes and drops three binaries to the “.pkgdb” folder: “daytime” ... tracked as DriveSwitch. “chargen” ... tracked as SilentRaid. “busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system.
T1132: Data Encoding – Encoded telecommunications C2 traffic
SilentRaid is the main implant in the intrusion meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware.
When SilentRaid starts, it communicates with its control server using a domain name and Google’s public DNS service (8.8.8.8) to find the server’s address.
T1572: Protocol Tunneling – Traffic tunneling through telecommunications infrastructure
T1573: Encrypted Channel – Encrypted telecommunications C2 communications
T1573.002: Asymmetric Cryptography – Public key cryptography for telecommunications C2
Exfiltration
1 techniqueT1041: Exfiltration Over C2 Channel – Data exfiltration from telecommunications networks
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
C++ backdoor supporting file management, port forwarding, reverse shell, and socket management; uses DNS/ICMP triggers for stealthy control (per excerpt).
A malware family referenced as being used in espionage-focused intrusions by UAT-7290.
A specialized Linux backdoor that provides persistent C2 access to compromised telecommunications infrastructure, supporting remote shell execution, port forwarding, file manipulation, and credential theft.
The primary Linux implant in the infection chain, providing command execution, file management, and reverse shell capabilities while communicating with C2 via DNS resolution through public resolvers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.