A China-linked advanced persistent threat (APT) actor has been conducting a sustained cyber espionage campaign against telecommunications infrastructure in South America since the beginning of 2024. The threat actor, tracked by Cisco Talos as UAT-9244, is targeting both Windows and Linux systems, as well as network edge devices, using a suite of three custom malware implants. Researchers assess that this group is closely associated with another cluster known as FamousSparrow, which itself shares tactical overlaps with the China-nexus espionage group Salt Typhoon, known for targeting telecom providers globally. However, while the targeting is similar, there is no definitive evidence directly linking UAT-9244 to Salt Typhoon.
The campaign employs three distinct, previously undocumented implants tailored for different systems. For Windows environments, the attackers deploy "TernDoor," a backdoor delivered via DLL side-loading that abuses a legitimate executable to decrypt and run its final payload in memory. For Linux systems, they use "PeerTime" (also known as angrypeer). To compromise network perimeter devices, the group utilizes a tool named "BruteEntry." The exact initial infection vector remains unclear, though the adversary has a known history of exploiting vulnerabilities in outdated Windows Server and Microsoft Exchange Server software to install web shells.
Technical analysis reveals TernDoor as a sophisticated evolution of known malware. It is a variant of Crowdoor (itself derived from SparrowDoor) and has been in use by UAT-9244 since at least November 2024. The malware establishes persistence on a host using scheduled tasks or Registry Run keys. It differentiates itself from its predecessors by using a different set of command codes and by embedding a Windows driver capable of manipulating processes—such as suspending, resuming, or terminating them. For stealth, the backdoor supports a single command-line switch ("-u") designed solely to uninstall itself and delete all traces from the compromised system.
