Bulbature
Bulbature is a Linux-based, often UPX-packed implant/backdoor used to convert compromised devices—particularly edge devices and telecommunications systems—into Operational Relay Boxes (ORBs) or relay infrastructure. It has been associated with the China-linked threat actor UAT-7290 and was first publicly disclosed by Sekoia in late 2024 (including reporting citing October 2024). Reported targeting and deployment context centers on compromised public-facing edge networking devices and telecommunications infrastructure, especially in South Asia, with more recent activity extending into Southeastern Europe.
High-confidence capabilities described in the source material include listening on configurable or random ports, opening reverse shells to execute arbitrary commands, storing command-and-control configuration in /tmp/*.cfg, supporting command-and-control rotation, using hardcoded or encoded C2 data, gathering system information, and communicating over TLS using a recurring self-signed certificate. Cisco Talos reported a recent Bulbature variant using a self-signed certificate with serial number 81bab2934ee32534 and SHA-256 hash 918fb8af4998393f5195bafaead7c9ba28d8f9fb0853d5c2d75f10e35be8015a; Censys data cited in the content showed this certificate on at least 141 hosts in China or Hong Kong. Talos also noted the recurring certificate across numerous Chinese-hosted systems.
Sekoia reporting in the provided content further describes Bulbature as a highly obfuscated C-based implant focused on relaying attacks, compiled for multiple architectures including x86-64, ARM, and MIPS, and used on Linux routers and NAS devices, including Asus and Qnap devices. In that reporting, Bulbature is part of a broader ORB infrastructure attributed with high confidence to Chinese operators and is used alongside GobRAT. The content states that compromised devices are repurposed as relay nodes or exit nodes to route attacks against downstream victims and potentially support other China-nexus actors.
Notable indicators and artifacts directly mentioned in the content include /tmp/*.cfg C2 configuration files, the recurring self-signed TLS certificate noted above, and published malware-related hashes associated with the broader UAT-7290 activity: 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200, 59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596, and 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After telecommunications infrastructure stabilization, UAT-7290 repurposes compromised telecommunications systems as Operational Relay Boxes through deployment of the Bulbature implant.
Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims networks.
Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims networks.
Also deployed by UAT-7290 is a backdoor called Bulbature that's engineered to transform a compromised edge device into an ORBs. It was first documented ... by Sekoia in October 2024.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniquestheir tactics, techniques and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes... The ORB infrastructure may then be used by other China-nexus actors in their malicious operations
T1587: Develop Capabilities – UAT-7290 custom telecommunications malware development
T1587.001: Malware – RushDrop, DriveSwitch, SilentRaid, Bulbature creation
Bulbature functions as an ORB node, listening on configurable ports and using a recurring self-signed certificate that Talos noted across numerous Chinese-hosted systems.
Initial Access
2 techniquesUAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...
It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.
Execution
2 techniquesThe malware can open up a reverse shell with its C2 to execute arbitrary commands on the infected system.
Plugin:my_rsh This plugin opens a remote shell by executing “sh” either via either “busybox” or “/bin/sh”. This remote shell is then used to run arbitrary commands on the infected system.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
6 techniquesT1027: Obfuscated Files or Information – UAT-7290 malware obfuscation
T1027.002: Software Packing – Packed telecommunications malware
UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...
T1140: Deobfuscate/Decode Files or Information – Runtime malware unpacking
T1564: Hide Artifacts – Concealment of telecommunications compromise
T1564.001: Hidden Files and Directories – Hidden malware on telecommunications devices
Credential Access
1 techniqueAttacks are preceded by extensive reconnaissance and rely on PoC exploits and SSH brute force.
Discovery
6 techniquesBulbature obtains the local network interface’s name by executing the command: cat /proc/net/route | awk '{print $1,$2}' | awk '/00000000/ {print $1}'
It also obtains basic system information and the current user using the command: echo $(whoami) $(uname -nrm)
Bulbature functions as an ORB node, listening on configurable ports...
Another tool, Bulbature, provides additional backdoor capabilities, gathers system info, manages multiple C2 addresses, and opens reverse shells.
These plugins enable remote shells, file access, port forwarding, command execution, and data collection, including system files and certificate details.
Bulbature obtains basic system information and the current user using the command: echo $(whoami) $(uname -nrm)
Lateral Movement
2 techniques“This remote shell is then used to run arbitrary commands on the infected system.”; “Bulbature can open up a reverse shell with its C2...”
...leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices...
Command and Control
9 techniquesSilentRaid communicates with its C2 server, usually in the form of a domain and can carry out action as instructed by the C2.
Bulbature, first disclosed by Sekoia in late 2024, is an implant that is used to convert compromised devices into ORBs.
T1090.002: External Proxy – Operational Relay Box functionality
their tactics, techniques and procedures (TTPs) and tooling suggests that this actor also establishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus actors in their malicious operations
SilentRaid – The main implant in the intrusion meant to establish persistent access to compromised endpoints.
Usually UPX compressed, Bulbature can bind to and listen to either a random port of its choosing or one specified via command line via the “-d <port_number>” switch.
T1572: Protocol Tunneling – Traffic tunneling through telecommunications infrastructure
A recent variant of Bulbature contained an embedded self-signed certificate that it used for communicating with the C2.
T1573.002: Asymmetric Cryptography – Public key cryptography for telecommunications C2
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An implant used to convert compromised telecommunications systems into Operational Relay Boxes that anonymize and route traffic for subsequent cyber operations.
A Linux tool that functions as an Operational Relay Box node, listening on configurable ports and relaying traffic as part of ORB infrastructure.
Backdoor used to convert compromised devices into Operational Relay Boxes (ORBs) for reuse as relay infrastructure by other espionage groups.
Implant used to convert infected systems into operational relay boxes (ORBs).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.