UAT-9244, a China-linked APT, has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices. Cisco Talos links the campaign to three new malware families—TernDoor, PeerTime, and BruteEntry—and published technical details and IoCs to help defenders. #UAT-9244 #TernDoor #PeerTime #BruteEntry
Keypoints
- UAT-9244 has targeted South American telecom providers since 2024, compromising diverse platforms and network devices.
- Cisco Talos associates the activity with FamousSparrow and Tropic Trooper tooling and TTPs but tracks it as a distinct cluster.
- TernDoor is a Windows backdoor deployed via DLL side-loading (wsprint.exe/BugSplatRc64.dll) with a signed driver (WSPrint.sys) and persistence through scheduled tasks and registry edits.
- PeerTime is an ELF multi-architecture P2P backdoor that uses the BitTorrent protocol for C2, with C/C++ and Rust variants and indicators of Simplified Chinese debug strings.
- BruteEntry turns compromised hosts into scanning ORBs to brute-force SSH, Postgres, and Tomcat, reporting results back to C2; Cisco Talos published IoCs for detection.