Critical telecommunications infrastructure in multiple South American countries has been under sustained attack since 2024 by an advanced threat group tracked as UAT-9244, according to new research from Cisco Talos. The China-linked APT is deploying three previously undocumented implants to compromise Windows, Linux and edge networking devices used by telecom operators.
UAT-9244: Chinese-linked cyber espionage cluster focused on telecom operators
Cisco Talos characterizes UAT-9244 as an activity cluster closely related to the group known as FamousSparrow, which itself overlaps in tools and tradecraft with Salt Typhoon, a China-nexus actor previously observed targeting telecoms. Researchers stress that, while there are strong methodological similarities and infrastructure overlaps, there are no definitive technical indicators yet proving these clusters are the same group.
The telecommunications sector remains a strategic target for state-aligned espionage campaigns. Operators hold large volumes of metadata, subscriber location information and can provide potential access for traffic interception. Prior industry reporting on groups such as LightBasin and APT10 has shown that compromising a single carrier often opens paths into roaming partners, enterprise customers and government networks, significantly amplifying the impact of a breach.
Initial access likely via unpatched Windows and Exchange infrastructure
The exact initial access vector used by UAT-9244 in the current campaign has not been conclusively identified. However, earlier activity attributed to the same actor involved exploitation of vulnerable Windows Server and Microsoft Exchange systems, followed by deployment of web shells to maintain remote access. This mirrors a broader trend where APT groups systematically target legacy or forgotten services that fall outside normal patch management and asset inventories.
TernDoor: advanced Windows backdoor leveraging DLL side-loading and a kernel driver
Stealthy loading, persistence and control over security processes
On Windows platforms, UAT-9244 deploys a backdoor dubbed TernDoor, a variant of the previously documented CrowDoor and ultimately derived from SparrowDoor. Active since at least November 2024, TernDoor is delivered through DLL side-loading, a technique where attackers replace or plant a malicious library that a legitimate application unwittingly loads.
In this campaign, a legitimate binary wsprint.exe is abused to load a trojanized BugSplatRc64.dll. This DLL decrypts and executes the core payload entirely in memory, significantly reducing forensic artifacts and complicating detection by traditional antivirus tools. Persistence is achieved via scheduled tasks or Registry Run keys, ensuring the backdoor starts automatically with Windows.
A notable feature of TernDoor is an embedded Windows driver that can pause, resume and terminate processes. This gives operators fine-grained control over system and security tools, enabling them to evade endpoint protection and hide malicious components. A single command-line parameter, -u, triggers full uninstallation and artifact cleanup, supporting operational security when the campaign is burned or an asset is no longer needed.
After launch, TernDoor checks that it is injected into msiexec.exe, decodes its configuration to obtain command-and-control (C2) details and establishes an encrypted channel. Over this channel, operators can spawn processes, execute arbitrary commands, read and write files, collect system information and deploy the driver to deepen stealth and persistence.
PeerTime: cross-platform Linux and embedded P2P backdoor using BitTorrent
Container-aware loader and Chinese-language development traces
Analysis of UAT-9244 infrastructure also uncovered a Linux backdoor called PeerTime. It is implemented as a peer-to-peer (P2P) implant and compiled for a wide range of architectures, including ARM, AArch64, PPC and MIPS. This design allows the group to compromise not only traditional Linux servers, but also embedded systems and telecom network equipment deployed at scale.
PeerTime is delivered via a shell script that downloads both an ELF-based instrumentation binary and the implant itself. According to Cisco Talos researchers Ashir Malhotra and Brandon White, the instrumentation component checks for Docker using commands such as docker and docker -q. When containers are present, it launches the PeerTime loader. The ELF file contains debug strings in Simplified Chinese, indicating development by Chinese-speaking operators or contractors.
The loader’s primary role is to decrypt and decompress the final PeerTime payload in memory, minimizing disk traces. Two major code branches exist: an earlier C/C++ implementation and a newer variant rewritten in Rust, reflecting ongoing investment in code quality and maintainability. Once running, PeerTime can masquerade as benign processes and uses the BitTorrent protocol to obtain C2 configuration, pull files from peers and execute new modules. This P2P architecture makes the infrastructure far more resilient to domain seizures and IP blocking compared to traditional single-server C2 models.
BruteEntry: turning edge devices into ORB nodes for credential attacks
Golang orchestration and structured reporting of brute-force results
On attacker-controlled servers, researchers also identified scripts and payloads related to a brute-force module dubbed BruteEntry, aimed specifically at edge devices. Once compromised, these devices are converted into scalable proxy nodes within an Operational Relay Box (ORB) architecture. From these relays, UAT-9244 launches credential-stuffing and password-guessing attacks against Postgres, SSH and Apache Tomcat services.
Deployment is handled by a shell script that installs two Golang components: an orchestrator and the BruteEntry scanner. The orchestrator retrieves the BruteEntry binary, which then connects back to C2, downloads a list of target IP addresses and begins systematic brute-force attempts. Each login attempt is logged and sent upstream.
Talos notes that results are returned using structured fields such as "success" and "notes". The "success" flag indicates whether valid credentials were found, while "notes" provides human-readable context. When all combinations are exhausted without a hit, the tool records the string “All credentials tried”. This enables operators to automatically filter out exhausted targets and focus operational resources on freshly compromised systems.
The breadth of UAT-9244’s toolkit—from a driver-enabled Windows backdoor to a P2P Linux implant and edge-based brute-force infrastructure—highlights a mature, well-resourced operation tailored to large, distributed environments such as telecom networks. To reduce exposure, telecom operators and other critical infrastructure providers should prioritize rigorous patching of Windows Server and Exchange, harden and monitor Docker and container platforms, enforce strict network segmentation, and deploy monitoring for anomalous P2P and BitTorrent traffic. Continuous auditing of edge devices, disabling unused services, enforcing multi-factor authentication for SSH and administrative access, and detecting DLL side-loading patterns (for example, suspicious wsprint.exe executions or unusual msiexec.exe activity) can significantly reduce the likelihood and impact of intrusions by UAT-9244 and similar APT actors.
