Cisco Talos has disclosed a new threat activity cluster, UAT-9244, assessed with high confidence to be a China-nexus advanced persistent threat (APT) actor closely associated with FamousSparrow and Tropic Trooper. Since 2024, the group has targeted critical telecommunications infrastructure in South America with three distinct malware implants.
Key Findings
- TernDoor: A new Windows backdoor variant of CrowDoor, deployed via DLL side-loading with capabilities for remote shell, file operations, and process management using an embedded kernel driver
- PeerTime: An ELF-based backdoor using the BitTorrent protocol for C2 communication, compiled for multiple architectures (ARM, AARCH, PPC, MIPS) to target embedded systems
- BruteEntry: A brute force scanner installed on network edge devices, converting them into Operational Relay Boxes (ORBs) that scan and compromise SSH, Postgres, and Tomcat servers
TernDoor Technical Details
The infection chain begins with DLL side-loading via the benign executable “wsprint.exe,” which loads the malicious “BugSplatRc64.dll.” The loader decrypts payloads using the key “qwiozpVngruhg123” and executes TernDoor in memory.
TernDoor establishes persistence through scheduled tasks or Registry Run keys and includes an embedded Windows driver (WSPrint.sys) that creates the device “\\Device\\VMTool” for process management—likely for evasion purposes.
PeerTime: P2P Backdoor
PeerTime uses BitTorrent protocol to obtain C2 information and download payloads. The malware includes debug strings in Simplified Chinese, indicating Chinese-speaking developers. Two versions exist: one in C/C++ and a newer Rust variant.
The malware checks for Docker presence and renames its process to evade detection. It uses BusyBox to copy payloads to specified locations.
BruteEntry ORB Infrastructure
BruteEntry transforms compromised Linux devices into scanning nodes that brute force internet-facing services:
- Registers with C2 using the infected system’s IP and hostname
- Receives batches of up to 1,000 target IPs to scan
- Attempts credential stuffing against Tomcat (/manager/html), PostgreSQL (port 5432), and SSH
- Reports successful logins back to C2
Infrastructure and Attribution
All discovered C2 IP addresses shared a common SSL certificate pattern. Pivoting off this certificate, Talos identified 18 additional suspected UAT-9244 IPs.
Based on tooling overlap, TTPs, and victimology, Talos assesses UAT-9244 closely overlaps with FamousSparrow and Tropic Trooper. While both UAT-9244 and Salt Typhoon target telecommunications providers, no solid connection between the two clusters has been established.
Indicators of Compromise
Key C2 infrastructure includes:
- 154[.]205[.]154[.]82:443
- 207[.]148[.]121[.]95:443
- 212[.]11[.]64[.]105
- bloopencil[.]net
- xtibh[.]com
Full IOCs including hashes for TernDoor loaders, PeerTime samples, and BruteEntry agents are available in the Cisco Talos research report.
Why This Matters
This campaign demonstrates the continued focus of China-nexus actors on telecommunications infrastructure—a strategic target for intelligence collection and potential disruption. The use of P2P protocols and ORB networks shows sophisticated operational security and the ability to scale attacks while maintaining anonymity.
Organizations in the telecommunications sector should review their edge device security, implement robust credential policies, and monitor for the IOCs provided by Talos.
i really enjoy reading such a greate article, keep up the wonderful work, check out my site at eiffeltower-ticketparis.com