Cisco Talos has uncovered a sustained espionage campaign attributed with high confidence to a China-nexus APT designated UAT-9244 that has targeted telecommunications infrastructure across South America since at least 2024. The group uses a trio of implants—TernDoor, PeerTime, and BruteEntry—employing DLL side-loading, BitTorrent-based C2, and edge-device brute-forcing to maintain persistent access and move laterally. #UAT9244 #FamousSparrow #TernDoor #PeerTime #BruteEntry #CiscoTalos #SouthAmerica
Keypoints
- Cisco Talos attributes the campaign to a China-linked APT known as UAT-9244 with ties to Famous Sparrow.
- The operation has targeted telecommunications providers across South America since at least 2024.
- TernDoor is a Windows backdoor deployed via DLL side-loading and in-memory payload decryption.
- PeerTime is an ELF backdoor that uses the BitTorrent protocol to hide command-and-control traffic.
- BruteEntry turns compromised edge devices into proxy nodes to brute-force SSH, Postgres, and Tomcat and harvest credentials for lateral movement.