China-Nexus UAT-9244 Targets South American Telecoms with TernDoor, PeerTime, and BruteEntry
Cisco Talos reported that UAT-9244, assessed with high confidence as a China-nexus APT closely associated with FamousSparrow, has targeted critical telecommunications providers in South America since 2024. The activity spans Windows and Linux endpoints as well as network edge devices, and introduces three previously undocumented implants: TernDoor (Windows), PeerTime (Linux/ELF), and BruteEntry (edge-device brute-force/scanning tooling). Public reporting noted tactical overlap between FamousSparrow and Salt Typhoon-linked telecom targeting, but stated there is no conclusive evidence directly tying UAT-9244 to Salt Typhoon.
Talos detailed that TernDoor is a variant of CrowDoor (itself related to SparrowDoor) and is deployed via DLL side-loading using the legitimate wsprint.exe to load a malicious loader DLL BugSplatRc64.dll, which reads WSPrint.dll, decrypts it, and executes the final payload in memory. PeerTime is an ELF backdoor that leverages the BitTorrent protocol for malicious operations on infected Linux systems. BruteEntry is typically installed on edge devices to convert them into Operational Relay Boxes (ORBs) used for mass scanning and brute forcing services including SSH, Postgres, and Tomcat; additional reporting also noted prior UAT-9244 targeting of outdated Windows Server and Microsoft Exchange to deploy web shells as a foothold for follow-on activity.
Related Entities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like talos intelligence blog
Related Stories
UAT-7290 Espionage Campaigns Targeting Telecommunications and Critical Infrastructure
A sophisticated China-linked threat actor, UAT-7290, has been conducting targeted cyber-espionage campaigns against telecommunications companies and critical infrastructure entities in South Asia since at least 2022. The group employs a calculated approach, beginning with extensive technical reconnaissance of their targets, and leverages a diverse toolkit that includes custom Linux malware such as RushDrop, DriveSwitch, and SilentRaid. UAT-7290 exploits known vulnerabilities and uses brute force attacks to compromise edge networking devices, establishing deep and persistent access within victim networks. Their operations have recently expanded into Southeastern Europe, indicating a growing geographic reach and ambition. UAT-7290 is notable for its dual role as both an espionage-focused actor and an initial access provider, setting up Operational Relay Box (ORB) nodes that can be leveraged by other China-nexus threat groups. The group’s malware arsenal also includes Windows-based implants like RedLeaves and ShadowPad, further demonstrating technical sophistication. Cisco Talos researchers have highlighted the group’s ability to evade detection, such as RushDrop’s anti-VM checks, and their use of both open-source and custom-developed tools to maintain operational flexibility. The ongoing campaigns pose a significant threat to vital communication networks and critical infrastructure across multiple regions.
2 months ago
Cisco Talos Reports China-Nexus UAT-8837 Breaching North American Critical Infrastructure
Cisco Talos reported multiple intrusions against **high-value North American critical infrastructure** organizations attributed to **UAT-8837**, assessed with *medium confidence* as a **China-nexus APT** focused on obtaining initial access. Talos said the actor gained entry via **compromised credentials** and **exploitation of vulnerable servers**, then conducted hands-on-keyboard activity to harvest credentials and environment data (including **security configurations** and **Active Directory** information) to establish redundant access paths. Observed post-compromise tooling included **Earthworm** (used to create reverse tunnels and expose internal endpoints), **SharpHound**, **DWAgent**, and **Certipy**, alongside common discovery commands (e.g., `tasklist /svc`, `netstat -aon -p TCP`, `whoami`). Talos linked UAT-8837 activity to exploitation of **CVE-2025-53690**, described as a **ViewState deserialization zero-day** affecting **Sitecore** products, noting that the overlap in tooling/infrastructure with other observed exploitation suggests the actor **may have access to zero-day exploits**. Reporting also highlighted that the vulnerability had previously been emphasized by U.S. federal cybersecurity authorities with a mandated patch timeline for federal civilian agencies, and that prior third-party analysis of incidents involving the same bug described similar post-exploitation tooling—reinforcing the assessment that this vulnerability has been operationalized in real intrusions against critical infrastructure targets.
2 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 weeks ago