South American telecommunications alert for the UAT 9244 campaign and its implants

In what has already emerged as another campaign aimed at the backbone of communications, Cisco Talos researchers have detected since 2024 a series of intrusions focused on telecommunications providers in South America. The opponent, identified by Talos as UAT-9244, deploys tools designed to infiltrate Windows servers, embedded Linux systems and network edge equipment, which risks not only data confidentiality but the availability of critical services that depend on that infrastructure.

The Talos report, publicly available, describes three families of implants that had not been documented before and which act on different levels of the ecosystem: a back door for Windows machines, a back door for Linux with peer-to-peer architecture and a gross force scanner designed to convert edge equipment into attack nodes. You can see the technical analysis in the blog of Cisco Talos to see the indicators and the complete observations: https: / / blog.talosintelligence.com / uat-9244 /.

On Windows the threat appears under the name TernDoor. The technique chosen by the attacker is to load a malicious bookstore by means of a legitimate system run - a method known as DLL side-rolling - taking advantage of the binary wsprint.exe to run a broken DLL that disfigures and launches the final payload in memory. To stay in the system, the sample uses traditional persistence mechanisms such as programmed tasks or entries in the Registry's Run key. In addition, this back door incorporates a driver (driver) designed to suspend, resume or complete processes, and has an uninstallation switch that erases your equipment remains if invoked.

In the Linux world the central piece is PeerTime, a backdoor with a remarkably flexible design: it is compiled for architectures such as ARM, AARCH64, PowerPC and MIPS to cover routers, gateways and other embedded systems. Its deployment usually includes a binary instrumentator that checks Docker's presence before loading the PeerTime charger, and even contains simplified Chinese cleansing chains, a detail that has attracted the attention of analysts. The loader decrypt and decompresses the payload in memory and the control communication uses a peer-to-peer mechanism based on the BitTorrent protocol to distribute command and control information and to obtain additional modules from other compromised nodes.

Finally, on the periphery of the network the attackers place a component called BruteEntry. It is a set of scripts and go binaries that transform routers and edge devices in what researchers call an Operational Relay Box (ORB): nodes that scan mass and execute brute force attacks against services such as Postgres, SSH or Tomcat servers. The workflow described by Talos shows an orchestrator who delivers the scanner and who consults the control and control server with the list of objectives; when the credential is valid, the result is reported back for operation.

Talos also points to tactical overlaps with another cluster identified as FamousSparrow and with the group called Salt Typhoon, known for its interest in telecommunications operators, although researchers make it clear that there is no conclusive evidence to claim that it is exactly the same actor. This detail reflects a problematic reality: different teams with similar capabilities and similar objectives can operate in parallel or exchange tools, which complicates fast and secure powers.

The initial input vector is not fully established in the report, but the precedents of this actor and similar suggest that outdated systems - for example Windows servers or exposed instances of Microsoft Exchange - have been frequent targets for deploying web shells and scaling activity. So, the risk surface remains the same: non-patch software, poorly configured edge devices and exposed administration channels.

From an operational perspective, the campaign combines traditional and some higher-level techniques: memory loading and the use of Windows hidden drivers, BitTorrent's use of Linux to decentralize command delivery, and the exploitation of edge devices to amplify scanning and brute force attacks. This crossing of approaches makes detection not trivial; many of the anomalous signals can be confused with legitimate traffic or with poorly configured remote management tools.

For those who manage telecommunications networks - or any critical infrastructure - this means that several layers need to be strengthened at the same time: to maintain fully up-to-date systems, to segment the management traffic, to tighten credentials and remote access, and to apply behavior controls that detect code execution in memory, abnormal loads by legitimate processes such as wsprint.exe or msiexec.exe, and unexpected BitTorrent communication from business servers. It is also important to audit and protect edge devices; it is precisely those teams that, when committed, can become levers to scale attacks or relays to mass campaigns.

If you are looking to contextualize this type of threat within a larger framework of tactics and techniques, the MITRE ATT & CK matrix is a good reference to understand the usual techniques used by persistent actors; its material helps map detections and controls against tactics such as lateral load of bookstores, persistence or use of non-conventional protocols for C2: https: / / attack.mitre.org /. For a broader vision of threats about how opponents point to critical sectors, reports from cyber security agencies and agencies such as the European Union Agency for Cybersecurity (ENISA) provide annual analysis and useful recommendations: https: / / www.enisa.europa.eu.

In short, the finding of Talos underlines that telecommunications service providers remain attractive targets for groups with resources. The exchange of tools and the reuse of tactics between clusters make the defense of these networks to be proactive, in layers and prepared to detect behaviors beyond only known signatures. And while technical research such as Cisco's helps to identify specific indicators, real mitigation goes through maintaining cybersecurity hygiene, visibility about traffic and memory execution, and response procedures that allow to neutralize committed nodes before they become broader attack platforms.