A newly identified threat actor, known as UAT-9244, has been reportedly targeting telecommunications infrastructure across South America since late 2024. This group has leveraged sophisticated malware specifically designed for various operating systems, including Windows, Linux, and devices operating at the network’s edge. Although UAT-9244 demonstrates tactical similarities to the espionage cluster known as Salt Typhoon, analysts have yet to conclusively link the two groups. The activities attributed to UAT-9244 have raised significant concerns among cybersecurity experts, as they reveal a targeted approach to infiltrating sensitive telecommunications networks critical to national and regional security.
The cyber espionage campaign employed by UAT-9244 is characterized by a sophisticated toolkit that includes three previously undocumented implants. Among these, TernDoor is notable as the Windows-based malware that has been strategically deployed. Additionally, the campaign incorporates a Linux counterpart named PeerTime, along with a unique tool known as BruteEntry, designed specifically for edge devices. This varied arsenal suggests that the cyber actors possess a deep understanding of different operating systems and the particular vulnerabilities that can be exploited.
Despite the advanced nature of these tools, the precise method through which UAT-9244 initially gains access to its targets remains unverified. However, researchers indicate that the group commonly exploits well-known vulnerabilities in outdated Microsoft Exchange and Windows servers. This exploitation typically facilitates the deployment of web shells, which then provide the attackers a foothold to further infiltrate the targeted environments. Such tactics underline the importance of maintaining updated security protocols and ensuring that systems are protected against known vulnerabilities.
A critical aspect of the TernDoor malware is its advanced backdoor capabilities, which the attackers deploy using a technique referred to as DLL side-loading. By employing a legitimate system executable to launch a malicious library, TernDoor can decrypt and execute its payload directly in memory, evading traditional detection methods. Experts in the field have noted that TernDoor appears to be an evolution of earlier malware families, including Crowdoor and SparrowDoor, showcasing the ongoing development and refinement of UAT-9244’s offensive operations over recent years.
Once a system is compromised, TernDoor establishes persistence by creating scheduled tasks or adjusting registry keys to ensure it continues to operate even after a reboot. This ability for sustained presence distinguishes TernDoor from its predecessors. Moreover, its unique command codes and the inclusion of a dedicated Windows driver enable the malware to exert significant control over system processes. This high level of interaction with the kernel not only grants attackers the capability to suspend or terminate security software but also allows them to manipulate critical system functions, increasing the risks associated with an infection.
To minimize detection risks, TernDoor has been equipped with a specifically designed uninstallation command that enables it to remove itself and any forensic traces from the host system. This emphasis on stealth, coupled with its focus on high-value telecommunications data, highlights the calculated nature of the campaign. In an era where cybersecurity threats are surging, the actions of UAT-9244 underline the potential vulnerabilities facing South American infrastructure.
As a response to the increasing scrutiny of operations tied to this threat actor, security teams and intelligence agencies are intensifying efforts to identify overlaps between emerging clusters of malicious activity and established state-sponsored espionage groups. The activities of UAT-9244 serve as a critical reminder of the evolving landscape of cyber threats, particularly in regions where telecommunications play a pivotal role in national security and global connectivity.
With ongoing developments in cybersecurity technology and tactics, it remains vital for organizations within the telecommunications sector to reinforce their defenses. By doing so, they can better protect against sophisticated adversaries like UAT-9244, fostering a more resilient infrastructure capable of withstanding various cyber threats. As the situation continues to evolve, vigilance and proactive measures will be essential in maintaining the integrity and security of critical communication networks.
For more detailed insights on this topic, interested readers can refer to the original analysis provided by Talos Intelligence, titled “China-Linked Hackers Deploy TernDoor, PeerTime In South American Telecom Attacks.”