A China-linked threat actor has been systematically breaching South American telecommunications providers since 2024, deploying three previously undocumented malware families across Windows, Linux, and network-edge devices, according to Cisco Talos researchers.
The group, tracked as UAT-9244, is closely associated with the FamousSparrow and Tropic Trooper hacking clusters but is maintained as a separate activity cluster based on overlapping tools, tactics, and target profiles. Researchers note the group shares a similar victim profile to Salt Typhoon but say they could not establish a solid link between the two.
Three New Malware Families
The campaign introduced TernDoor, PeerTime, and BruteEntry — none previously documented. Each serves a distinct operational role within the intrusion chain.
TernDoor is a Windows backdoor delivered through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll, which then decrypts and injects the final payload into msiexec.exe. An embedded Windows driver, WSPrint.sys, allows the malware to terminate, suspend, and resume processes. The announcement says persistence is maintained through scheduled tasks and registry modifications, with the scheduled task itself concealed through the same mechanisms. The backdoor can execute remote shell commands, read and write files, collect system information, and self-uninstall.
PeerTime is an ELF Linux backdoor built for multiple processor architectures — ARM, AARCH, PPC, and MIPS — a scope that suggests deliberate targeting of the embedded systems and network appliances common in telecom infrastructure. It exists in two variants: one written in C/C++, the other in Rust. Simplified Chinese debug strings were found in the instrumentor binary. Rather than conventional command-and-control channels, PeerTime routes communications through the BitTorrent protocol, downloads and executes payloads from peers, and uses BusyBox to write files to the host. Its process is renamed to appear legitimate.
BruteEntry, built in Go, converts compromised machines into scanning nodes the report calls Operational Relay Boxes, or ORBs. It brute-forces access to SSH, Postgres, and Tomcat services on newly identified targets, then relays login attempt results — including task status and notes — back to the attacker’s infrastructure.
More Read
Attribution and Confidence
The high-confidence association between UAT-9244 and the two established Chinese state-linked groups rests on shared tooling, techniques, and the consistent focus on telecommunications targets. Researchers stopped short of folding the cluster into either parent group, maintaining it as a distinct tracked entity.
Cisco Talos has published a full technical breakdown of the three malware families alongside indicators of compromise that network defenders can use to detect and block activity associated with the campaign.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
