Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

DriveSwitch

DriveSwitch is a Linux malware component used in the UAT-7290 intrusion set. Cisco Talos describes it as a peripheral malware/loader whose primary role is to execute the main implant, SilentRaid, on infected systems. It appears in a staged infection chain in which RushDrop, the initial dropper, performs anti-analysis checks, creates a hidden .pkgdb directory, and deploys additional components including DriveSwitch and SilentRaid. Reporting consistently places DriveSwitch in espionage-focused intrusions attributed to the China-linked threat actor UAT-7290, active since at least 2022 and targeting telecommunications providers and other critical infrastructure entities primarily in South Asia, with more recent activity in Southeastern Europe. The broader malware suite is Linux-focused and is used after initial access obtained via exploitation of public-facing edge devices and SSH brute-force activity. High-confidence malware family associations are RushDrop and SilentRaid; SilentRaid is the primary persistence implant/backdoor. No DriveSwitch-specific indicators of compromise are directly provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAT-7290

The telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.

via hiveprohivepro.com
Liminal Panda

DriveSwitch, a peripheral malware that's used to execute SilentRaid on the infected system

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1587Develop CapabilitiesEvidence1
TacticResource Development

T1587: Develop Capabilities – UAT-7290 custom telecommunications malware development

T1587.001MalwareEvidence2
TacticResource Development

Once inside, they deploy a diverse arsenal of tools, including custom Linux malware variants such as RushDrop, DriveSwitch, and SilentRaid (the primary implant for persistence).

Initial Access

3 techniques
T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1133External Remote ServicesEvidence1
TacticsInitial AccessPersistence

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1190Exploit Public-Facing ApplicationEvidence7
TacticInitial Access

It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1
TacticExecution

...support capabilities such as command execution... Monitor for anomalous DNS behavior... along with unusual BusyBox command usage... | These components use DNS resolution through public resolvers to reach command-and-control and support capabilities such as command execution, file management, and reverse shell establishment... any evidence of spawned reverse shells.

Persistence

4 techniques
T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1133External Remote ServicesEvidence1
TacticsInitial AccessPersistence

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1543Create or Modify System ProcessEvidence1
TacticsPersistencePrivilege Escalation

T1543: Create or Modify System Process – Telecommunications system persistence establishment

T1547Boot or Logon Autostart ExecutionEvidence1
TacticsPersistencePrivilege Escalation

SilentRaid serves as the primary implant, designed to establish persistent access to compromised endpoints, communicate with command-and-control infrastructure, and execute tasks defined by the attacker.

Privilege Escalation

3 techniques
T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1543Create or Modify System ProcessEvidence1
TacticsPersistencePrivilege Escalation

T1543: Create or Modify System Process – Telecommunications system persistence establishment

T1547Boot or Logon Autostart ExecutionEvidence1
TacticsPersistencePrivilege Escalation

SilentRaid serves as the primary implant, designed to establish persistent access to compromised endpoints, communicate with command-and-control infrastructure, and execute tasks defined by the attacker.

Stealth

7 techniques
T1027Obfuscated Files or InformationEvidence1
TacticStealth

T1027: Obfuscated Files or Information – UAT-7290 malware obfuscation

T1027.002Software PackingEvidence1
TacticStealth

T1027.002: Software Packing – Packed telecommunications malware

T1036MasqueradingEvidence1
TacticStealth

“…deploy three components… and a legitimate BusyBox utility.”

T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1140Deobfuscate/Decode Files or InformationEvidence1
TacticStealth

T1140: Deobfuscate/Decode Files or Information – Runtime malware unpacking

T1564Hide ArtifactsEvidence1
TacticStealth

T1564: Hide Artifacts – Concealment of telecommunications compromise

T1564.001Hidden Files and DirectoriesEvidence2
TacticStealth

T1564.001: Hidden Files and Directories – Hidden malware on telecommunications devices

Credential Access

2 techniques
T1110Brute ForceEvidence4
TacticCredential Access

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1110.001Password GuessingEvidence1
TacticCredential Access

“...and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...”

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1
TacticDiscovery

These components use DNS resolution through public resolvers to reach command-and-control and support capabilities such as command execution, file management...

Lateral Movement

1 technique
T1021.004SSHEvidence2
TacticLateral Movement

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

Command and Control

2 techniques
T1071.004DNSEvidence1
TacticCommand and Control

These components use DNS resolution through public resolvers to reach command-and-control...

T1105Ingress Tool TransferEvidence6
TacticCommand and Control

RushDrop then decodes and drops three binaries to the “.pkgdb” folder: “daytime” ... tracked as DriveSwitch. “chargen” ... tracked as SilentRaid. “busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app5 months ago
hash.sha256●●●●●●●●●●●●View more in app5 months ago
hash.sha256●●●●●●●●●●●●View more in app5 months ago
ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
the hacker newsNews
Jan 16, 2026
China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion

A malware family referenced as being used in espionage-focused intrusions by UAT-7290.

Read more
hiveproNews
Jan 16, 2026
UAT-7290: Chinese APT Telecom Espionage, IOCs & Defenses | Hive Pro

A specialized Linux-based loader used in UAT-7290's telecommunications malware stack to help deploy or support follow-on payloads on compromised edge devices.

Read more
socprime blogNews
Jan 14, 2026
UAT-7290 Targets South Asian Telecoms with Linux Implants

An intermediate Linux stage in the infection chain that is deployed after RushDrop and before SilentRaid.

Read more
the hacker newsNews
Jan 12, 2026
⚡ Weekly Recap: AI Automation Exploits, Telecom Espionage, Prompt Poaching & More

Malware family used in cyber-espionage campaigns targeting telecommunications infrastructure, attributed to the UAT-7290 threat actor.

Read more
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.