South American telecommunication providers are facing a sustained cyberattack campaign from a China-linked advanced persistent threat (APT) actor known as UAT-9244, researchers at Cisco Talos have revealed. Active since 2024, the group is compromising Windows, Linux, and network-edge devices with a new toolkit of malware designed for long-term access and reconnaissance.
UAT-9244 is assessed with high confidence to be closely associated with the notorious hacking groups Famous Sparrow and Tropic Trooper, sharing similar tactics, techniques, and procedures (TTPs), and targeting comparable victimology. Whereas the group shares a target profile with another Chinese threat actor, Salt Typhoon, researchers have not yet established a definitive connection between the two, according to the Cisco Talos report published March 5, 2026.
The campaign leverages three previously undocumented malware families: TernDoor, a Windows backdoor; PeerTime, a Linux backdoor utilizing the BitTorrent protocol; and BruteEntry, a brute-force scanner used to establish proxy infrastructure. These tools allow UAT-9244 to gain initial access, move laterally within networks, and maintain persistent control over compromised systems.
TernDoor: A New Windows Backdoor
TernDoor operates through a technique called DLL side-loading, exploiting the legitimate Windows executable, wsprint.exe, to load a malicious DLL, BugSplatRc64.dll. This DLL decrypts and executes the final payload in memory, injecting it into the msiexec.exe process. The malware also incorporates an embedded Windows driver, WSPrint.sys, enabling it to terminate, suspend, and resume processes, enhancing its stealth and control.
Persistence is achieved through scheduled tasks and modifications to the Windows Registry, further obscuring its presence on infected systems. Once established, TernDoor can execute commands remotely, run arbitrary processes, read and write files, collect system information, and even self-uninstall, providing a comprehensive suite of post-exploitation capabilities.
PeerTime: A Linux Backdoor Leveraging BitTorrent
PeerTime is an ELF-based Linux backdoor designed to target a wide range of architectures – ARM, AARCH, PPC, and MIPS – suggesting a deliberate effort to compromise diverse embedded systems and network devices common in telecommunications infrastructure. Cisco Talos documented two versions of PeerTime, one written in C/C++ and another based on the Rust programming language. The researchers also noted the presence of Simplified Chinese debug strings within the instrumentor binary, a strong indicator of the actor’s origin.
What sets PeerTime apart is its use of the BitTorrent protocol for command-and-control (C2) communications. The malware downloads and executes payloads from peers within the BitTorrent network, and utilizes BusyBox to write files on the compromised host. This approach allows for resilient and obfuscated communication, making detection more challenging.
Source: Cisco Talos
BruteEntry: Building Proxy Infrastructure
The third component of UAT-9244’s toolkit, BruteEntry, consists of a Go-based instrumentor binary and a brute-forcing component. Its primary function is to transform compromised devices into scanning nodes, known as Operational Relay Boxes (ORBs). These ORBs are then used to scan for new targets and attempt to brute-force access to services like SSH, Postgres, and Tomcat. Login attempt results, along with task status notes, are sent back to the attacker’s C2 server.
Source: Cisco Talos
Cisco Talos has published a detailed technical report outlining the capabilities of these three malware families, their deployment methods, and persistence mechanisms. The researchers have also released indicators of compromise (IoCs) to aid defenders in detecting and blocking this activity. The full report provides a comprehensive analysis of UAT-9244’s operations.
The targeting of critical telecommunications infrastructure highlights the growing sophistication and strategic focus of China-linked threat actors. As UAT-9244 continues to refine its techniques and expand its reach, organizations in South America and beyond must prioritize robust cybersecurity measures and proactive threat intelligence to mitigate the risk of compromise. The evolving threat landscape demands continuous vigilance and adaptation to effectively defend against these advanced attacks.
What remains to be seen is whether UAT-9244 will expand its targeting beyond South America, and how quickly security vendors can develop effective defenses against these newly identified malware families. Share your thoughts and experiences in the comments below.
