China-Nexus UAT-9244 Targets South American Telecoms with TernDoor, PeerTime, and BruteEntry
Cisco Talos reported that UAT-9244, assessed with high confidence as a China-nexus APT closely associated with FamousSparrow, has targeted critical telecommunications providers in South America since 2024. The activity spans Windows and Linux endpoints as well as network edge devices, and introduces three previously undocumented implants: TernDoor (Windows), PeerTime (Linux/ELF), and BruteEntry (edge-device brute-force/scanning tooling). Public reporting noted tactical overlap between FamousSparrow and Salt Typhoon-linked telecom targeting, but stated there is no conclusive evidence directly tying UAT-9244 to Salt Typhoon.
Talos detailed that TernDoor is a variant of CrowDoor (itself related to SparrowDoor) and is deployed via DLL side-loading using the legitimate wsprint.exe to load a malicious loader DLL BugSplatRc64.dll, which reads WSPrint.dll, decrypts it, and executes the final payload in memory. PeerTime is an ELF backdoor that leverages the BitTorrent protocol for malicious operations on infected Linux systems. BruteEntry is typically installed on edge devices to convert them into Operational Relay Boxes (ORBs) used for mass scanning and brute forcing services including SSH, Postgres, and Tomcat; additional reporting also noted prior UAT-9244 targeting of outdated Windows Server and Microsoft Exchange to deploy web shells as a foothold for follow-on activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos publicly discloses UAT-9244 campaign and malware details
Cisco Talos published research detailing UAT-9244's activity, assessing with high confidence that the cluster is closely associated with FamousSparrow and overlaps with Tropic Trooper, while not confirming a direct link to Salt Typhoon. The report also shared infrastructure findings, including shared SSL certificate-linked C2s, along with indicators of compromise and ClamAV and Snort detections.
UAT-9244 deploys TernDoor, PeerTime, and BruteEntry in telecom intrusions
During the campaign, UAT-9244 used three previously undocumented implants: TernDoor on Windows, PeerTime on Linux and embedded systems, and BruteEntry on edge devices. The tooling enabled in-memory backdoor access, BitTorrent-based peer-to-peer command delivery, and brute-force scanning to expand access via operational relay boxes.
UAT-9244 begins targeting South American telecom providers
A China-linked espionage cluster tracked as UAT-9244 began targeting critical telecommunications providers in South America in 2024. The campaign sought persistent access across telecom infrastructure spanning Windows, Linux, and network edge devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Chinese APT taps novel malware in telco attacks | brief | SC Media
scworld.com
Open sourceChina-Nexus Hackers Attacking Telecommunication Providers With New Malware
cybersecuritynews.com
Open sourceChina-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks
thehackernews.com
Open sourceChina-Linked Hackers Use Malware Trio for Telecom Espionage
govinfosecurity.com
Open sourceChina-Linked Hackers Use Malware Trio for Telecom Espionage
bankinfosecurity.com
Open sourceUAT-9244 targets South American telecommunication providers with three new malware implants
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked UAT-7290 Breaches Telecom Networks Using Linux Malware and ORB Nodes
Cisco Talos disclosed that **UAT-7290**, a threat actor active since at least 2022 and assessed with high confidence as part of the **China-nexus APT ecosystem**, has conducted sustained intrusions against high-value **telecommunications and critical infrastructure** organizations in **South Asia**, with more recent activity extending into **Southeastern Europe**. The group reportedly performs extensive pre-attack reconnaissance, then compromises public-facing edge devices through **one-day exploits**, proof-of-concept exploit adaptation, and **target-specific SSH brute force**, seeking deep and persistent access inside strategically important telecom environments. Researchers said the actor relies heavily on a **Linux-focused malware** toolkit that includes **RushDrop**, **DriveSwitch**, **SilentRaid**, and **Bulbature**, alongside overlaps with **RedLeaves** and **ShadowPad** and activity previously associated with **Red Foxtrot/APT10**. Talos assessed that UAT-7290 appears to serve a dual role: carrying out espionage while also acting as an **initial access provider** that converts compromised devices into **Operational Relay Box (ORB)** nodes for possible use by other China-linked operators. SilentRaid supports modular capabilities such as remote shell access, file management, and port forwarding, while Bulbature was tied to ORB infrastructure through a self-signed certificate observed on at least **141 hosts** in **China or Hong Kong**, reinforcing the attribution assessment.
Mar 26, 2026
Cisco Talos Reports China-Nexus UAT-8837 Breaching North American Critical Infrastructure
Cisco Talos reported multiple intrusions against **high-value North American critical infrastructure** organizations attributed to **UAT-8837**, assessed with *medium confidence* as a **China-nexus APT** focused on obtaining initial access. Talos said the actor gained entry via **compromised credentials** and **exploitation of vulnerable servers**, then conducted hands-on-keyboard activity to harvest credentials and environment data (including **security configurations** and **Active Directory** information) to establish redundant access paths. Observed post-compromise tooling included **Earthworm** (used to create reverse tunnels and expose internal endpoints), **SharpHound**, **DWAgent**, and **Certipy**, alongside common discovery commands (e.g., `tasklist /svc`, `netstat -aon -p TCP`, `whoami`). Talos linked UAT-8837 activity to exploitation of **CVE-2025-53690**, described as a **ViewState deserialization zero-day** affecting **Sitecore** products, noting that the overlap in tooling/infrastructure with other observed exploitation suggests the actor **may have access to zero-day exploits**. Reporting also highlighted that the vulnerability had previously been emphasized by U.S. federal cybersecurity authorities with a mandated patch timeline for federal civilian agencies, and that prior third-party analysis of incidents involving the same bug described similar post-exploitation tooling—reinforcing the assessment that this vulnerability has been operationalized in real intrusions against critical infrastructure targets.
Mar 21, 2026
Chinese-Speaking CL-STA-1062 Used TinyRCT to Breach Southeast Asian Governments
Palo Alto Networks Unit 42 reported that the Chinese-speaking intrusion cluster **CL-STA-1062**, assessed with high confidence to overlap with Cisco Talos' **UAT-7237**, conducted sustained operations across East and Southeast Asia from at least 2022 through 2025. In 2025, the group targeted Southeast Asian government entities and state-owned critical energy infrastructure, using web application exploitation, **ASPX web shells**, reconnaissance, lateral movement, and data exfiltration to maintain access and steal information. Investigators said the actors combined open-source tooling including **SoftEther VPN**, **VNT**, **yuze**, **Mimikatz**, and **JuicyPotato** with a newly documented custom .NET backdoor, **TinyRCT**. The malware supports command execution, file listing and exfiltration, screenshot capture, encrypted HTTP-based command-and-control, and a self-destruct feature intended to erase forensic evidence. Unit 42 also reconstructed an infection chain in which a malicious `chrome_setup.zip` archive used **AppDomainManager Injection** to load a malicious DLL, download `PerfWatson2.exe` from attacker infrastructure, and establish persistence through a scheduled task.
Jun 27, 2026