Researchers Link UAT-9244 Intrusions to Notorious Cyberespionage Groups
In a recent report, Cisco Talos researchers have revealed that a China-linked cyberespionage group, identified as UAT-9244, has been actively targeting telecommunications providers in South America since 2024. This new information underscores rising cybersecurity threats posed by state actors in the region, utilizing previously undocumented malware tools designed for maintaining persistent access to critical communication infrastructures.
The findings, made public on March 6, 2026, highlight UAT-9244’s connections to two well-known Chinese advanced persistent threat (APT) groups: Famous Sparrow and Tropic Trooper. These networks have a notable history of targeting sensitive sectors, making their activities a matter of grave concern for national security.
Famous Sparrow has been operational since at least 2019, with a documented history of intrusions that includes attacks on hotels, government entities, international organizations, and prestigious law firms. Meanwhile, Tropic Trooper has been active for an even longer period, dating back to 2011. This group primarily concentrates its efforts on government agencies, transportation networks, and high-tech industries across regions such as Taiwan, Hong Kong, and the Philippines, with increasing focus on the Middle East.
The research specifies that the campaign led by UAT-9244 is particularly concerning because it zeroes in on telecommunications networks—gateways to vast amounts of sensitive communications data. These networks serve as critical points for intelligence collection, making their compromise a strategic objective for nation-state actors.
Among the malware families identified during the investigation are a Windows backdoor known as TernDoor, a Linux variant called PeerTime, and a credential brute-forcing tool named BruteEntry. Each of these tools has been designed with distinct capabilities to ensure the intruders retain remote access and steer clear of detection.
TernDoor, for instance, is deployed through DLL side-loading techniques, allowing a legitimate executable to load a malicious library that decrypts and activates the final payload in the system’s memory. This approach effectively camouflages the malware, enabling it to blend seamlessly with normal user activity by injecting itself into the widely used Windows process, msiexec.exe. Following its deployment, TernDoor enables the attackers to carry out remote commands, collect critical system information, and manipulate files on compromised machines.
Cisco Talos elucidates that TernDoor has lineage traced back to CrowDoor—a backdoor linked to previous Chinese cyber espionage activities. To enhance its persistence, TernDoor creates scheduled tasks and alters relevant registry keys, thereby hiding its presence from standard system views. Additionally, it establishes a Windows Registry Run key that ensures the malware is relaunching every time a user logs in. An additional malicious Windows driver also gets installed during this process, providing the ability to suspend or terminate processes, which can significantly hinder detection efforts by security monitoring tools.
The second malware tool, PeerTime, is particularly remarkable as it operates as an ELF-based backdoor capable of functioning across multiple processor architectures, including ARM, MIPS, PowerPC, and AArch64. This versatility enables PeerTime to compromise a wide array of Linux servers, routers, and embedded systems frequently found in telecommunications environments. Two distinct versions of PeerTime have been identified, one written in C/C++ and the other in Rust.
Unlike conventional malware that typically communicates with a centralized command-and-control (C2) server, PeerTime employs the BitTorrent protocol to receive instructions and download new payloads from peer nodes. This peer-to-peer communication model serves to obscure the attacker’s infrastructure, complicating detection and analysis. The researchers also uncovered debug strings in Simplified Chinese within the instrumentor binary associated with PeerTime, thus reinforcing a connection to Chinese-speaking operators.
BruteEntry, the third component identified, functions by transforming compromised edge devices into operational relay boxes that conduct credential brute-force attacks on exposed services. Written in Go, this tool registers with a C2 server and receives a list of IP addresses to scan, specifically targeting services such as SSH, Postgres, and Tomcat. As valid credentials are uncovered during this process, they are relayed back to the attacker’s command infrastructure.
These coordinated intrusions highlight a worrying trend of expanding Chinese espionage activities against telecommunications providers worldwide. In the past, another China-linked group, Salt Typhoon, successfully compromised at least nine major U.S. carriers and infiltrated systems across over 80 countries. Continued monitoring has shown that Salt Typhoon’s activities persisted well into early 2026.
As cyber threats evolve, the need for robust cybersecurity measures within telecommunications sectors becomes ever more urgent. The implications of these continuous attacks could have far-reaching consequences, underscoring the complexity of contemporary cyber warfare, where nation-state actors engage in espionage with growing sophistication and impunity.