Since 2024, a persistent actor linked to China, identified by researchers as UAT-9244, has focused on telecommunications service providers in South America, committing both Windows and Linux equipment and devices on the edge of the network. The ability to operate on multiple systems and architectures indicates planning to attack critical infrastructure in the communications sector, a strategic target that can amplify the impact of any intrusion.
The Cisco Talos research team, which has been following this activity, notes that UAT-9244 shares tools, tactics and victim profiles with groups known as FamousSparrow and Trooper, although they prefer to track this set of operations as an independent cluster. Analysts consider this attribution with a high degree of confidence, but at the same time they warn that, despite the similarity in objectives with other collectives such as Salt Typhoon, there is no definitive evidence that unifies all these campaigns into a single actor. For those who want to read the original technical analysis and the IoC published by the researchers, the Talos report is available here: Cisco Talos - UAT-9244 report.
The campaign stands out for the appearance of three malware families that had not been publicly documented so far. In Windows environments a backdoor appears which researchers call TernDoor. This threat takes advantage of a technique of DLL ide-loading to load malicious code from a bookstore that appears to be legitimate and, once inside the system, inject the final load into confidence processes. It also incorporates a self-contained device controller that allows you to manage process execution at will - stop, suspend and resume processes - and establishes persistence through programmed tasks and modifications to the Windows registry that seek to hide their traces. Its capabilities include remote command execution, file handling, system information collection and the possibility of being deinstalled in a controlled way.
On the Linux side, the family named PeerTime draws attention to having been developed for a wide range of architectures - ARM, AARCH, PPC and MIPS - suggesting a clear objective: embedded devices and network equipment that abound in telecommunications environments. PeerTime is distributed in two variants - one in C / C + + and one in Rust - and uses an unconventional methodology for its command and control channel: the BitTorrent protocol. This allows you to communicate in peer-to-peer mode, download and run loads from other pairs, and use common utilities in embedded systems, such as BusyBox, to write files in the host. Researchers have also observed simplified Chinese debugging chains in malware-associated instrumentators, an additional indication of the possible origin of the profits used by the attackers.
Complete the trio a tool called BruteEntry, which includes a binary instrumentator written in Go and a gross force module. The purpose of this piece is to convert devices already committed to scanning and operating nodes, called by attackers as Operational Relay Boxes (ORBs). From these nodes, sweeping is carried out in search of new targets and attempts to access services such as SSH, Postgres databases and Tomcat servers are launched. The results of the access attempts, along with the status of the tasks, are reported back to the command and control operating the campaign.
The combination of these three families poses an attack board where initial penetration into edge devices can quickly transform these devices into recognition and pivoting platforms, feeding a network of proxies that makes it more difficult to attribute and contain the operation. The use of P2P protocols such as BitTorrent for command and control communication and the creation of ORB infrastructure are tactics aimed at increasing the campaign's resilience to detection and blocking efforts.
For security teams of telecommunications operators this research offers practical indications: to review telemetry related to unusual system process executions, to search for signs of DLL ide-loading and to monitor scheduled tasks and suspicious changes to Windows registry that attempt to hide persistence. In Linux environments and in embedded devices it is appropriate to pay attention to processes that are renamed to appear legitimacy, anomalous BusyBox-related activity and BitTorrent traffic emerging with unusual patterns in equipment that should not be participating in P2P networks. In addition, the presence of massive attempts at failed authentication against SSH, Postgres or Tomcat may be an early sign of machines used for gross force. Cisco Talos includes in his report commitment indicators that response teams can use as a starting point for the detection and blocking of these intrusions: IoC and technical analysis in Spain.
Beyond the immediate technical response, such campaigns once again put on the table the need to strengthen the cyberresilience of the communications sector. Service providers should strengthen network segmentation, apply strict access controls, require multi-factor authentication for critical administration and services, tighten edge device configurations and maintain an active patching policy. For those who manage critical infrastructure, it is useful to consult official resources on the protection of the communications sector and good security practices: the US Infrastructure and Cybersecurity Security Agency. The United States maintains guides and notices for the communications sector that can serve as an operational reference: CISA - Communications Sector.
For their part, the intelligence community and response teams have frameworks such as MITRE ATT & CK to correlate observed techniques and enrich detection rules. Understanding the techniques of persistence, evasion and intrusion described by Talos helps map observations in practical detections and prioritise mitigations: MITRE ATT & CK.
The emergence of UAT-9244 and its tools confirm that the attackers continue to innovate, adapt their arsenals to compromise heterogeneous devices and use less conventional communication channels. The lesson for operators and security officials is clear: the attack surface has expanded and the defenses must evolve accordingly, strengthening visibility, access control and response to abnormal behaviour across the infrastructure chain.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...