China-Linked Hackers Target South American Telecoms with New Malware Arsenal

A China-linked advanced persistent threat (APT) actor has been targeting critical telecommunications infrastructure in South America since 2024, deploying three previously undocumented malware implants across Windows, Linux, and network edge devices. The campaign, tracked by Cisco Talos under the moniker UAT-9244, represents a sophisticated espionage effort against telecom providers in the region.

Three-Pronged Malware Attack Strategy

The attackers are using a coordinated approach with three distinct malware families:

TernDoor - A Windows backdoor deployed through DLL side-loading, leveraging the legitimate executable "wsprint.exe" to launch a rogue DLL that decrypts and executes the final payload in memory. This malware variant, based on Crowdoor (itself derived from SparrowDoor), has been active since at least November 2024. It establishes persistence through scheduled tasks or Registry Run keys and supports commands for process creation, file operations, system information collection, and process management through an embedded Windows driver.

PeerTime - A Linux peer-to-peer backdoor compiled for multiple architectures including ARM, AARCH, PPC, and MIPS, allowing it to infect various embedded systems. The malware employs BitTorrent protocol to fetch command-and-control information and download files from peers. Analysis revealed debug strings in Simplified Chinese within its instrumentor binary, suggesting Chinese-speaking threat actors created this custom tool.

BruteEntry - A brute-force scanner installed on edge devices that transforms them into mass-scanning proxy nodes within an Operational Relay Box (ORB). This tool targets Postgres, SSH, and Tomcat servers, reporting successful logins back to command servers. The malware uses a shell script to deploy two Golang-based components: an orchestrator that delivers BruteEntry, which then contacts C2 servers for IP targeting lists.

Campaign Technical Details

The exact initial access method remains unclear, though the attackers have previously exploited systems running outdated Windows Server and Microsoft Exchange Server versions to drop web shells. TernDoor specifically checks for injection into "msiexec.exe" before decoding configuration data to extract C2 parameters. The malware's command-line interface only supports a single "-u" switch for self-uninstallation.

PeerTime's loader decrypts and decompresses the final payload directly in memory, while its Rust variant represents a newer evolution of the malware family. The backdoor can rename itself as harmless processes to evade detection.

Attribution and Context

Cisco Talos describes UAT-9244 as closely associated with another cluster called FamousSparrow, which shares tactical overlaps with Salt Typhoon - a well-known China-nexus espionage group targeting telecommunication service providers. However, researchers emphasize there is no conclusive evidence directly linking UAT-9244 to Salt Typhoon despite similar targeting patterns.

Security Implications

This campaign highlights the ongoing threat to telecommunications infrastructure, particularly in South America. The use of multiple malware families targeting different operating systems and device types demonstrates a sophisticated, multi-platform approach to espionage. Organizations in the telecom sector should:

• Monitor for suspicious DLL side-loading activity
• Implement network segmentation to limit lateral movement
• Apply timely patches to Windows Server and Exchange Server systems
• Monitor edge devices for unauthorized software installations
• Review logs for unusual process injection patterns

The discovery of Chinese-language debug strings and the targeting of telecom infrastructure aligns with broader patterns of Chinese state-sponsored cyber espionage activities observed globally.

For organizations concerned about similar threats, Cisco Talos recommends implementing comprehensive endpoint detection and response capabilities, along with regular security assessments of critical infrastructure systems.