A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices.

According to Cisco Talos researchers, the adversary is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster.

This assessment has high confidence and is based on similar tooling, tactics, techniques, and procedures (TTPs), and victimology observed in attacks attributed to the threat actors.

The researchers note that while UAT-9244 shares the same target profile as Salt Typhoon, they could not establish a solid connection between the two activity clusters.

New malware targeting telco networks

The researchers found that the campaign used three previously undocumented malware families: TernDoor, a Windows backdoor; PeerTime, a Linux backdoor that uses BitTorrent; and BruteEntry, a brute-force scanner that builds proxy infrastructure (ORBs).

TernDoor is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll, which decrypts and executes the final payload in memory (injected into msiexec.exe).

The malware contains an embedded Windows driver, WSPrint.sys, which is used to terminate, suspend, and resume processes.

Persistence is achieved via scheduled tasks and Windows Registry modifications, which are also used to hide the scheduled task.

Additionally, TernDoor can execute commands via remote shell, run arbitrary processes, read/write files, collect system information, and self-uninstall.

PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS), suggesting it was designed to compromise a broad range of embedded systems and network devices used in telecom environments.

Cisco Talos documented two versions for PeerTime. One variant is written in C/C++ and the other is based on Rust. The researchers also noticed Simplified Chinese debug strings in the instrumentor binary, an indicator of its origin.

Its payload is decrypted and loaded in memory, and its process is renamed to appear legitimate.

PeerTime, an ELF-based peer-to-peer (P2P) backdoor, uses the BitTorrent protocol for command-and-control (C2) communications, downloads and executes payloads from peers, and uses BusyBox to write the files on the host.

Finally, there’s BruteEntry, which consists of a Go-based instrumentor binary and a brute-forcing component. Its role is to turn compromised devices into scanning nodes, known as Operational Relay Boxes (ORBs).

The attacker uses the machines running BruteEntry to scan for new targets and brute-force access to SSH, Postgres, and Tomcat. Login attempt results are sent back to the C2 with task status and notes.

In a technical report today, Cisco Talos researchers provide details on the capabilities of the three pieces of malware, how they are deployed, and achieve persistence.

Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.