MalwareUsed by 2 actors

SilentRaid

Also known asMystRodX

SilentRaid, also known as MystRodX, is a C++-based Linux backdoor and the primary persistent implant used in UAT-7290 intrusions. It is deployed in a staged infection chain alongside RushDrop and DriveSwitch, with reporting indicating RushDrop creates a hidden .pkgdb directory and drops components including daytime, chargen, and busybox; SilentRaid is described as the main implant used to maintain long-term access on compromised systems. The malware communicates with command-and-control infrastructure, including by resolving C2 domains through public DNS resolvers such as Google Public DNS (8.8.8.8), and executes attacker-defined tasks through a modular or plugin-based architecture.

Documented capabilities include remote shell or reverse shell access, command execution, port forwarding, file and socket management, and file operations. Reporting also states it can archive directories with tar, access /etc/passwd, parse or collect X.509 certificate attributes, and collect credential-related data or steal credentials from telecommunications systems. MystRodX-specific reporting further describes configurable TCP or HTTP C2 communications, optional AES-encrypted traffic, layered encryption for configuration and payload elements, and a passive wake-up mode using raw sockets that can be triggered by specially crafted DNS or ICMP packets for stealthy activation.

SilentRaid is associated with the China-linked threat actor UAT-7290, which Cisco Talos assessed as active since at least 2022 and focused on espionage-oriented compromises of public-facing edge devices. The actor primarily targets telecommunications providers and other critical infrastructure in South Asia, with more recent activity extending into Southeastern Europe. SilentRaid is repeatedly described as central to persistence on compromised telecommunications and edge-networking infrastructure. High-confidence indicators and related details mentioned in the content include use of the hidden .pkgdb directory, dropped component names daytime, chargen, and busybox, DNS-based C2 resolution via 8.8.8.8, and published SHA-256 indicators associated with the broader malware set: 723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200, 59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596, and 961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAT-7290

SilentRaid establishes persistent command-and-control access to telecommunications infrastructure, enabling remote shell execution, port forwarding, file manipulation, and credential theft from telecommunications systems.

via hiveprohivepro.com

Liminal Panda

SilentRaid (aka MystRodX), a C++-based implant that establishes persistent access ... plugin-like approach to communicate with an external server, open a remote shell, set up port forwarding, and perform file operations

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

34 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1587Develop CapabilitiesEvidence1

T1587: Develop Capabilities – UAT-7290 custom telecommunications malware development

T1587.001MalwareEvidence2

Once inside, they deploy a diverse arsenal of tools, including custom Linux malware variants such as RushDrop, DriveSwitch, and SilentRaid (the primary implant for persistence).

Initial Access

2 techniques

T1133External Remote ServicesEvidence1

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1190Exploit Public-Facing ApplicationEvidence2

It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.

Execution

2 techniques

T1059Command and Scripting InterpreterEvidence3

...support capabilities such as command execution, file management, and reverse shell establishment... any evidence of spawned reverse shells. | ...support capabilities such as command execution... Monitor for anomalous DNS behavior... along with unusual BusyBox command usage...

T1059.004Unix ShellEvidence2

Plugin:my_rsh This plugin opens a remote shell by executing “sh” either via either “busybox” or “/bin/sh”. This remote shell is then used to run arbitrary commands on the infected system.

Persistence

2 techniques

T1133External Remote ServicesEvidence1

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1543Create or Modify System ProcessEvidence1

T1543: Create or Modify System Process – Telecommunications system persistence establishment

Privilege Escalation

1 technique

T1543Create or Modify System ProcessEvidence1

T1543: Create or Modify System Process – Telecommunications system persistence establishment

Stealth

6 techniques

T1027Obfuscated Files or InformationEvidence1

T1027: Obfuscated Files or Information – UAT-7290 malware obfuscation

T1027.002Software PackingEvidence1

T1027.002: Software Packing – Packed telecommunications malware

T1070.004File DeletionEvidence1

Remove a file or directory using the “rm” command - via busybox

T1140Deobfuscate/Decode Files or InformationEvidence1

T1140: Deobfuscate/Decode Files or Information – Runtime malware unpacking

T1564Hide ArtifactsEvidence1

T1564: Hide Artifacts – Concealment of telecommunications compromise

T1564.001Hidden Files and DirectoriesEvidence1

T1564.001: Hidden Files and Directories – Hidden malware on telecommunications devices

Credential Access

3 techniques

T1110Brute ForceEvidence1

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

T1552Unsecured CredentialsEvidence1

T1552.001Credentials In FilesEvidence1

T1552.001: Credentials In Files – Harvesting telecommunications configuration credentials

Discovery

3 techniques

T1016System Network Configuration DiscoveryEvidence1

T1016: System Network Configuration Discovery – Telecommunications network mapping

T1082System Information DiscoveryEvidence1

T1082: System Information Discovery – Telecommunications system enumeration

T1083File and Directory DiscoveryEvidence4

Plugin:my_file_mgr This is the file manager of the backdoor. It allows the SilentRaid to: Read contents of “/etc/passwd” ... Check if a file is accessible ... Read/write a specified file

Lateral Movement

1 technique

T1021.004SSHEvidence1

UAT-7290 typically leverages public proof-of-concepts (PoCs) for various vulnerabilities and SSH brute force attacks to compromise public-facing devices.

Collection

1 technique

T1005Data from Local SystemEvidence2

T1005: Data from Local System – Intelligence collection from telecommunications infrastructure

Command and Control

12 techniques

T1071Application Layer ProtocolEvidence3

SilentRaid communicates with its C2 server, usually in the form of a domain and can carry out action as instructed by the C2.

T1071.001Web ProtocolsEvidence1

T1071.001: Web Protocols – HTTP/HTTPS C2 channels

T1071.004DNSEvidence2

Plugin: my_socks_mgr This plugin handles communication to C2 server. It obtains the C2 IP by resolving a domain using “8[.]8[.]8[.]8” and passes commands received from the C2 to the appropriate plugin.

T1090ProxyEvidence1

SilentRaid operates using a modular plugin system that gives attackers multiple capabilities. The malware can open remote shells, forward internet ports, and manage files on infected systems.

T1090.001Internal ProxyEvidence1

These plugins enable remote shells, file access, port forwarding, command execution, and data collection

T1105Ingress Tool TransferEvidence3

RushDrop then decodes and drops three binaries to the “.pkgdb” folder: “daytime” ... tracked as DriveSwitch. “chargen” ... tracked as SilentRaid. “busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system.

T1132Data EncodingEvidence1

T1132: Data Encoding – Encoded telecommunications C2 traffic

T1219Remote Access ToolsEvidence3

SilentRaid is the main implant in the intrusion meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware.

T1568Dynamic ResolutionEvidence1

When SilentRaid starts, it communicates with its control server using a domain name and Google’s public DNS service (8.8.8.8) to find the server’s address.

T1572Protocol TunnelingEvidence1

T1572: Protocol Tunneling – Traffic tunneling through telecommunications infrastructure

T1573Encrypted ChannelEvidence1

T1573: Encrypted Channel – Encrypted telecommunications C2 communications

T1573.002Asymmetric CryptographyEvidence1

T1573.002: Asymmetric Cryptography – Public key cryptography for telecommunications C2

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

T1041: Exfiltration Over C2 Channel – Data exfiltration from telecommunications networks

INDICATORS OF COMPROMISE

IOCs tracked for this family

17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

10 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app5 months ago

domain●●●●●●●●●●●●View more in app10 months ago

hash.md5●●●●●●●●●●●●View more in app10 months ago

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

C++ backdoor supporting file management, port forwarding, reverse shell, and socket management; uses DNS/ICMP triggers for stealthy control (per excerpt).

the hacker newsNews

Jan 16, 2026

China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion

A malware family referenced as being used in espionage-focused intrusions by UAT-7290.

hiveproNews

Jan 16, 2026

UAT-7290: Chinese APT Telecom Espionage, IOCs & Defenses | Hive Pro

A specialized Linux backdoor that provides persistent C2 access to compromised telecommunications infrastructure, supporting remote shell execution, port forwarding, file manipulation, and credential theft.

socprime blogNews

Jan 14, 2026

UAT-7290 Targets South Asian Telecoms with Linux Implants

The primary Linux implant in the infection chain, providing command execution, file management, and reverse shell capabilities while communicating with C2 via DNS resolution through public resolvers.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching17

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping34

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.