China-linked hackers are actively targeting telecommunication providers across South America with sophisticated new malware, according to a recent report. The advanced persistent threat actor, identified as UAT-9244, has been deploying a custom toolkit since early 2024 to establish deep access into critical network infrastructure, impacting both Windows and Linux systems, as well as essential network edge devices that manage communication flow.
This persistent campaign is notable for its methodical approach to compromising, maintaining presence, and expanding its reach within targeted telecommunication networks. The group’s arsenal includes three distinct malware implants, each designed for specific functions within the attack chain. The discovery highlights the growing threat posed by nation-state actors to vital communication infrastructure in the region.
China Nexus Hackers Target Telecom Providers with New Malware
The UAT-9244 group’s toolkit consists of three purpose-built malware tools. TernDoor functions as a Windows backdoor, representing a new iteration of previously documented CrowDoor malware. PeerTime is a Linux-based backdoor that utilizes the BitTorrent protocol for communication and task execution, allowing malicious traffic to blend seamlessly with legitimate peer-to-peer activity. The third tool, BruteEntry, transforms compromised network edge devices into Operational Relay Boxes (ORBs), which are then used to brute-force vulnerable SSH, PostgreSQL, and Apache Tomcat servers, thereby expanding the attackers’ foothold.
Security researchers at Cisco Talos have identified UAT-9244 and assess with high confidence that this group exhibits significant overlap with FamousSparrow and Tropic Trooper, two other known China-nexus APT actors. This assessment is based on the sharing of specific tooling, similar tactics, techniques, and procedures (TTPs), and a consistent pattern of targeting that aligns across all three entities. For instance, TernDoor’s lineage can be traced through CrowDoor back to SparrowDoor, a backdoor long attributed to FamousSparrow. Furthermore, debug strings within the PeerTime instrumentor binary are written in Simplified Chinese, a strong linguistic indicator directly linking the campaign to Chinese-speaking threat operators.
The scale of this operation is significant for the telecommunications sector. Talos researchers uncovered a shared SSL certificate linked to 18 IP addresses that are believed to be part of UAT-9244’s command-and-control (C2) infrastructure, suggesting a broad and well-resourced operation. While both UAT-9244 and a separately tracked group, Salt Typhoon, are observed targeting telecom providers, Talos has not yet confirmed a direct connection between these two specific groups. Nevertheless, the pattern of multiple China-aligned actors showing a focused interest in telecommunication infrastructure underscores the perceived value of these networks for state-sponsored intelligence gathering.
TernDoor’s Infection Chain and Persistence Tactics
The deployment of TernDoor commences with a DLL side-loading technique. A legitimate Windows executable, named wsprint.exe, is leveraged to load a malicious file identified as BugSplatRc64.dll. This loader then reads an encoded file from the disk, decrypts it using the hardcoded key qwiozpVngruhg123, and subsequently executes the resulting shellcode entirely within memory. This in-memory execution bypasses file-based detection methods that security tools commonly rely upon.
Once activated, the shellcode decompresses and launches TernDoor, which is injected into the legitimate Windows process msiexec.exe. This deliberate choice aims to conceal the malware’s presence by mimicking routine system behavior. The implant then decodes its internal configuration, which contains essential details such as the C2 IP address, retry count, port number, and a custom User-Agent string for outbound communications. From this point, TernDoor is capable of executing remote commands, performing file read and write operations, gathering system details, and communicating back to its operator.
To ensure persistence across system reboots, TernDoor establishes a scheduled task named “WSPrint.” It then modifies registry keys associated with this task to obscure it from standard system views. Additionally, it places a Registry Run key that ensures the malware restarts with every user login, creating two parallel persistence mechanisms. TernDoor also drops a Windows driver named WSPrint.sys and activates it as a system service. This driver establishes a virtual device that TernDoor utilizes to suspend, resume, or terminate processes, providing a direct method for disabling any active security tools present on the compromised machine.
Security teams are advised to audit scheduled tasks and Registry Run keys for any unauthorized entries. Monitoring for DLL side-loading events in application directories and restricting the execution of unsigned kernel drivers are also crucial steps. Implementing measures to block known UAT-9244 C2 IP ranges and deploying ClamAV signatures, including Win.Malware.TernDoor, Unix.Malware.BruteEntry, and Unix.Malware.PeerTime, alongside SNORT rule SID 65551, is strongly recommended to fortify telecommunications infrastructure against this evolving threat.