UAT‑9244: Chinese State Hackers Deploy New Malware Toolkit Against Telcos

March 6, 2026 Faeem BLOGS 0

Cisco Talos has uncovered a China‑linked APT group, tracked as UAT‑9244, targeting telecommunications providers in South America since 2024. The campaign demonstrates a sophisticated blend of Windows, Linux, and edge‑device malware designed to compromise critical telecom infrastructure.

The Malware Arsenal

  • TernDoor (Windows backdoor)
    • Delivered via DLL side‑loading (wsprint.exe + BugSplatRc64.dll).
    • Injects payload into msiexec.exe.
    • Embedded driver (WSPrint.sys) manipulates processes.
    • Capabilities: remote shell, file operations, system info collection, persistence via registry and scheduled tasks.
  • PeerTime (Linux backdoor)
    • ELF‑based, targeting ARM, AARCH, PPC, MIPS architectures.
    • Two variants: C/C++ and Rust.
    • Uses BitTorrent protocol for peer‑to‑peer C2.
    • Downloads payloads from peers, executes via BusyBox.
    • Simplified Chinese debug strings suggest origin.
  • BruteEntry (Go‑based brute‑force scanner)
    • Converts compromised devices into Operational Relay Boxes (ORBs).
    • Scans for SSH, Postgres, Tomcat targets.
    • Sends login attempt results back to C2.
    • Expands attacker infrastructure by brute‑forcing new nodes.

Why It Matters

  • Multi‑platform targeting: Windows servers, Linux appliances, and embedded telecom devices.
  • Persistence & stealth: Registry hiding, process renaming, obfuscation.
  • Infrastructure compromise: ORBs enable lateral expansion across networks.
  • State alignment: Tooling overlaps with FamousSparrow and Tropic Trooper, but tracked as a distinct cluster.

Defensive Recommendations

  • Patch & harden: Ensure telecom devices and servers are updated.
  • Monitor IoCs: Use Cisco Talos’ published indicators of compromise for detection.
  • Network segmentation: Isolate telecom edge devices from core infrastructure.
  • Behavioral monitoring: Watch for BitTorrent traffic anomalies and brute‑force scanning patterns.
  • Incident readiness: Prepare for multi‑platform response — Windows, Linux, and embedded systems.

Final Thought

UAT‑9244’s toolkit illustrates how state‑linked actors weaponize diverse malware families to infiltrate telecom networks. For leaders, the lesson is clear: telecom infrastructure is a strategic target, and defending it requires cross‑platform visibility, rapid detection, and proactive hardening against advanced persistent threats.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.