A China linked advanced persistent threat actor has been conducting targeted cyber operations against critical telecommunications infrastructure in South America since 2024, researchers have revealed. Cisco Talos, which is tracking the actor under the moniker UAT-9244, said the campaign involves attacks on Windows and Linux systems as well as network edge devices using three previously undocumented implants. The activity shows tactical similarities with another China linked espionage cluster known as FamousSparrow, which in turn shares operational patterns with Salt Typhoon, a threat actor group historically associated with targeting telecom service providers. While there are overlaps in techniques and targeting, researchers caution that no definitive link between UAT-9244 and Salt Typhoon has been established.
Analysis by Talos indicates that the attacks employ TernDoor, PeerTime, and BruteEntry malware to compromise and maintain access across a variety of hosts. TernDoor, a Windows backdoor, is deployed through DLL side-loading, leveraging the legitimate executable wsprint.exe to load a rogue DLL named BugSplatRc64.dll. Once executed in memory, the DLL decrypts the final payload and establishes persistence using either scheduled tasks or the Registry Run key. The malware then verifies that it has been injected into msiexec.exe before decoding its configuration to retrieve command-and-control server parameters. After connecting to the C2 server, TernDoor enables the attackers to create processes, run commands, read and write files, collect system data, and deploy a Windows driver to hide malicious components and manage processes. The backdoor also supports an uninstall function that removes all traces from the host using a single command line switch.
The UAT-9244 actor has also deployed PeerTime, a Linux backdoor compiled for multiple architectures including ARM, AARCH, PPC, and MIPS to target embedded systems. The ELF payload is delivered alongside an instrumentor binary via a shell script, which checks for Docker installations before executing PeerTime. Talos researchers noted that debug strings in Simplified Chinese in the instrumentor suggest it was developed by Chinese speaking operators. PeerTime decrypts and decompresses its payload in memory and can rename itself to avoid detection. The malware leverages the BitTorrent protocol to fetch command-and-control data, download files from peers, and execute them across compromised systems. It is implemented in both C/C++ and Rust variants, allowing flexible deployment across diverse Linux environments.
In addition, the actor has been observed deploying BruteEntry on network edge devices to create an Operational Relay Box capable of brute forcing Postgres, SSH, and Tomcat servers. A shell script drops two Golang components: an orchestrator and the BruteEntry scanner, which receives target IP addresses from the C2 server and attempts credential attacks. Results, including successful logins and failures, are reported back to the command server. Talos researchers emphasized that this approach allows the threat actor to convert compromised edge devices into active scanning and brute-force nodes, amplifying the scope of network compromise while maintaining stealth.
Collectively, these operations demonstrate the strategic targeting of telecom infrastructure across South America using multi-platform implants and sophisticated delivery techniques. The campaign highlights the ongoing use of previously undocumented malware by state aligned actors to maintain persistent access, exfiltrate sensitive data, and manipulate networked systems in critical communication sectors. Cisco Talos continues to monitor activity linked to UAT-9244, noting the importance of updated patching, intrusion detection, and comprehensive endpoint monitoring to defend against similar espionage campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
