The Silent Signal: How China’s “UAT-9244” is Dismantling South American Telecom with a New Malware Triad

A Chinese hacker collective has unleashed a nascent wave of cyber offensives against telecommunications conglomerates across South America. Cybersecurity sentinels at Cisco Talos have unearthed a triad of novel, malignant instruments utilized by these malefactors to breach the architectures of telecommunications operators, subjugate their hardware, and transmute these devices into operational nodes for subsequent incursions.

Cisco Talos is rigorously tracking the machinations of this syndicate, designated UAT-9244. According to expert calculus, this collective is inextricably intertwined with Chinese cyberespionage operations, exhibiting profound methodological intersections with the Famous Sparrow threat actor. Since 2024, UAT-9244 has ruthlessly besieged critical communications infrastructure throughout South American nations. Their crosshairs are fixed upon Windows-based workstations, Linux servers, and networking appliances situated at the very perimeter of these architectures.

Throughout this campaign, the assailants deploy three distinct malicious applications. The inaugural payload is christened TernDoor; its brethren are designated PeerTime and BruteEntry. Each instrument executes a highly specialized mandate: securing persistent systemic footholds, orchestrating the remote dominion of subjugated devices, and executing exhaustive, brute-force credential assaults against external services.

The paramount linchpin of these assaults is the TernDoor backdoor. This software represents a nascent evolution of the CrowDoor malware, an instrument historically weaponized by the Chinese syndicates Famous Sparrow and Earth Estries. CrowDoor, in its own lineage, is descended from an antecedent malicious architecture known as SparrowDoor. Analysts have concurrently observed homologous instruments deployed within Tropic Trooper campaigns, a convergence that strongly intimates profound connective tissue among these disparate collectives.

To execute their malignant code, the adversaries weaponize the artifice of DLL sideloading. The system innocently invokes the legitimate executable wsprint.exe, which inadvertently sideloads the venomous library BugSplatRc64.dll. Subsequently, this library parses the WSPrint.dll file, decrypts its payload, and detonates the TernDoor architecture directly within the volatile memory of the host machine.

TernDoor guarantees absolute remote dominion over the infected architecture. The malware aggressively harvests telemetry regarding the host machine, user identities, and network configurations, while simultaneously executing arbitrary commands, spawning processes, and plundering files. Embedded within this backdoor is an encrypted Windows driver. This driver is endowed with the formidable capability to suspend, resume, and obliterate processes, a functionality that masterfully obfuscates the kinetic activity of the malicious code.

To secure an enduring foothold within the ecosystem, the malefactors forge a Windows Scheduled Task bearing the nomenclature WSPrint, ensuring the malignant software resurrects autonomously upon system boot. Furthermore, the venomous code manipulates specific Registry keys to shroud the existence of this scheduled task. On occasion, the program injects its own autonomous startup key directly into the Registry, guaranteeing execution the moment a user breaches the system’s threshold.

The tactical directives for TernDoor emanate from a command-and-control nexus. The malware establishes communion with a preordained IP coordinate, leveraging connection parameters immutably hardcoded within its configuration matrix. These parameters encompass the command server’s address, the designated port, the permissible quota of connection attempts, and the specific User-Agent string.

Beyond the Windows-centric backdoor, UAT-9244 deploys an auxiliary instrument: PeerTime. This architecture operates exclusively within Linux ecosystems and is disseminated as an ELF binary, meticulously compiled to accommodate a myriad of processor architectures. Such an agnostic approach profoundly expands their infectious reach, explicitly encompassing networking appliances and embedded systems.

PeerTime is deployed via a shell script, which orchestrates the downloading of a loader alongside an auxiliary module. The malware rigorously audits the host for the presence of Docker, and, if deemed necessary, detonates its code within the protective confines of a container. Deep within the binary’s architecture, sentinels unearthed debugging strings articulated in Mandarin Chinese, irrevocably corroborating the instrument’s provenance.

Post-execution, PeerTime leverages the BitTorrent protocol to establish a decentralized communion with its command nodes and auxiliary infected devices. Traversing this peer-to-peer labyrinth, the malware ingests tactical commands, siphons files, and executes them upon the subjugated host. Presently, analysts are monitoring twin iterations of this software: a foundational version forged in C/C++, and a more nascent evolution engineered in Rust. Within certain architectures, the malware flawlessly masquerades as pedestrian, benign processes to evade the gaze of defensive sentinels.

The tertiary instrument, BruteEntry, transmutes subjugated devices into clandestine proxy nodes dedicated to executing colossal brute-force credential assaults. Such compromised conduits are designated as Operational Relay Boxes (ORBs). Customarily, this malicious software is ensconced upon networking appliances guarding the infrastructural perimeter.

Following its successful infiltration, BruteEntry communes with its command server, broadcasting the system’s IP coordinate and nomenclature. The nexus responds by dispatching a manifest of operational directives—a meticulously curated ledger of target addresses slated for siege. Subsequently, the malware aggressively attempts to crack the cryptographic defenses of SSH services, PostgreSQL database servers, and Apache Tomcat web interfaces.

Should this brute-force endeavor bear fruit, the infected conduit relays the purloined credentials back to the command server. Thus, this sprawling web of subjugated devices incrementally, yet inexorably, broadens the adversaries’ dominion over nascent systems.

The sentinels at Cisco Talos underscore that UAT-9244 is aggressively augmenting its infrastructure and relentlessly evolving its malicious arsenals. Concurrently, efforts to definitively establish a direct nexus between this collective and an auxiliary Chinese operation, christened Salt Typhoon, remain elusive, despite both campaigns sharing a surgical focus upon telecommunications conglomerates.