MalwareUsed by 2 actors

RushDrop

Also known asChronosRAT

RushDrop, also known as ChronosRAT, is a Linux malware component used by the China-nexus threat actor UAT-7290 in espionage-focused intrusions. Cisco Talos describes it as the initial dropper that starts a staged infection chain targeting primarily telecommunications providers and other critical infrastructure entities in South Asia, with more recent activity extending into Southeastern Europe. UAT-7290 is reported to gain access through exploitation of public-facing edge networking devices using one-day vulnerabilities and target-specific SSH brute-force attacks.

RushDrop performs anti-analysis or anti-VM checks and may delete itself if those checks fail. When execution proceeds, it creates or verifies a hidden .pkgdb directory on the compromised Linux system and decodes or drops embedded binaries into that directory, including daytime, chargen, and busybox. The daytime component is associated with DriveSwitch, which helps execute the next-stage payload, while chargen corresponds to the SilentRaid implant, the primary persistence backdoor in the intrusion chain. BusyBox, a legitimate Linux utility, is abused for command execution.

The content consistently places RushDrop within a broader Linux malware suite used by UAT-7290 alongside DriveSwitch and SilentRaid. In this role, RushDrop functions as the infection initiator rather than the main persistence implant. Some cited reporting also refers to ChronosRAT as a modular Linux RAT with AES-encrypted TCP command-and-control, dynamic RSA key updates, and capabilities including remote shell, keylogging, screenshots, port forwarding, file management, SOCKS proxying, and watchdog-based persistence; however, the most consistently supported characterization in the provided content is that RushDrop/ChronosRAT serves as the initial dropper in the UAT-7290 infection chain.

High-confidence indicators and artifacts directly associated in the content include the hidden .pkgdb directory; dropped filenames daytime, chargen, and busybox; and published SHA-256 indicators 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200, 59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596, and 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d. Cisco Talos states that ClamAV signatures Unix.Dropper.Agent, Unix.Malware.Agent, and Unix.Packed.Agent, as well as Snort SID 65124, detect this threat.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAT-7290

The telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.

via hiveprohivepro.com

Liminal Panda

ChronosRAT: A modular Linux RAT that ensures persistence via a watchdog process. It includes AES-encrypted TCP C2, dynamic RSA key updates, and modules for remote shell, keylogging, screenshots, port forwarding, file management, and SOCKS proxy.

via securityaffairssecurityaffairs.com

MITRE ATT&CK

Techniques & procedures

24 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1587Develop CapabilitiesEvidence1

T1587: Develop Capabilities – UAT-7290 custom telecommunications malware development

T1587.001MalwareEvidence2

Once inside, they deploy a diverse arsenal of tools, including custom Linux malware variants such as RushDrop, DriveSwitch, and SilentRaid (the primary implant for persistence).

Initial Access

3 techniques

T1078Valid AccountsEvidence1

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1133External Remote ServicesEvidence1

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1190Exploit Public-Facing ApplicationEvidence7

It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access to compromised endpoints and employs a plugin-like approach to communicate with an external server, open a remote shell

Persistence

4 techniques

T1078Valid AccountsEvidence1

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1133External Remote ServicesEvidence1

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1543Create or Modify System ProcessEvidence1

T1543: Create or Modify System Process – Telecommunications system persistence establishment

T1547Boot or Logon Autostart ExecutionEvidence1

SilentRaid serves as the primary implant, designed to establish persistent access to compromised endpoints, communicate with command-and-control infrastructure, and execute tasks defined by the attacker.

Privilege Escalation

4 techniques

T1055Process InjectionEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution

T1078Valid AccountsEvidence1

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1543Create or Modify System ProcessEvidence1

T1543: Create or Modify System Process – Telecommunications system persistence establishment

T1547Boot or Logon Autostart ExecutionEvidence1

Stealth

9 techniques

T1027Obfuscated Files or InformationEvidence1

T1027: Obfuscated Files or Information – UAT-7290 malware obfuscation

T1027.002Software PackingEvidence1

T1027.002: Software Packing – Packed telecommunications malware

T1055Process InjectionEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution

T1078Valid AccountsEvidence1

UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access...

T1140Deobfuscate/Decode Files or InformationEvidence1

T1140: Deobfuscate/Decode Files or Information – Runtime malware unpacking

T1497Virtualization/Sandbox EvasionEvidence4

The telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.

T1497.001System ChecksEvidence2

T1497.001: System Checks – Environment detection in telecommunications systems

T1564Hide ArtifactsEvidence2

T1564: Hide Artifacts – Concealment of telecommunications compromise

T1564.001Hidden Files and DirectoriesEvidence4

T1564.001: Hidden Files and Directories – Hidden malware on telecommunications devices

Credential Access

2 techniques

T1056.001KeyloggingEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.

T1110Brute ForceEvidence3

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

Discovery

3 techniques

T1083File and Directory DiscoveryEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.

T1497Virtualization/Sandbox EvasionEvidence4

The telecommunications infection chain starts with RushDrop, a dropper performing anti-analysis checks before deploying the DriveSwitch loader and SilentRaid backdoor components.

T1497.001System ChecksEvidence2

T1497.001: System Checks – Environment detection in telecommunications systems

Lateral Movement

1 technique

T1021.004SSHEvidence2

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

Collection

2 techniques

T1056.001KeyloggingEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.

T1113Screen CaptureEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.

Command and Control

3 techniques

T1090ProxyEvidence1

ChronosRAT, a modular ELF binary that's capable of shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy.

T1090.001Internal ProxyEvidence1

SilentRaid (aka MystRodX) ... open a remote shell, set up port forwarding, and perform file operations

T1105Ingress Tool TransferEvidence7

RushDrop then decodes and drops three binaries to the “.pkgdb” folder: “daytime” ... tracked as DriveSwitch. “chargen” ... tracked as SilentRaid. “busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app5 months ago

hash.sha256●●●●●●●●●●●●View more in app11 months ago

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Malware family deployed in espionage-focused intrusions attributed to UAT-7290; details not provided in excerpt.

the hacker newsNews

Jan 16, 2026

China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion

A malware family referenced as being used in espionage-focused intrusions by UAT-7290.

hiveproNews

Jan 16, 2026

UAT-7290: Chinese APT Telecom Espionage, IOCs & Defenses | Hive Pro

A specialized Linux-based dropper used by UAT-7290 on telecommunications edge devices. It performs anti-analysis checks and deploys additional malware components including DriveSwitch and SilentRaid.

socprime blogNews

Jan 14, 2026

UAT-7290 Targets South Asian Telecoms with Linux Implants

A Linux dropper used at the start of a staged infection chain; it creates a hidden .pkgdb directory and deploys subsequent payload stages.

+15 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping24

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.