Ethical Hacking News
A new China-linked Advanced Persistent Threat (APT) actor, UAT-9244, has been identified targeting critical telecommunications infrastructure in South America. This article delves into the details of UAT-9244's tactics, techniques, and procedures, providing an in-depth analysis of its sophisticated malware and attack vectors.
UAT-9244 is a China-linked Advanced Persistent Threat (APT) actor targeting critical telecommunications infrastructure in South America. The APT's primary objective is to compromise Windows and Linux systems, as well as edge devices. The attack campaign uses three distinct implants: TernDoor, PeerTime, and BruteEntry. TernDoor is a Windows-based implant that leverages DLL side-loading for backdoor capabilities. PeerTime is a Linux-based implant deployed via a shell script and utilizing the BitTorrent protocol for C2 communication. BruteEntry is an edge device-based implant designed to turn network devices into mass-scanning proxy nodes within Operational Relay Boxes (ORBs).
The cybersecurity landscape has witnessed numerous high-profile attacks attributed to state-sponsored actors in recent times. However, one particular campaign has garnered significant attention due to its sophistication and targeted nature – the UAT-9244 Advanced Persistent Threat (APT) actor. This article aims to delve into the details of this China-linked APT actor's tactics, techniques, and procedures (TTPs), providing an in-depth analysis of the sophisticated malware and attack vectors employed by UAT-9244.
In 2024, Cisco Talos researchers identified a new cluster of attacks attributed to UAT-9244, which has been linked to another group known as FamousSparrow. While there is no conclusive evidence tying these two clusters together, their targeting footprints share several similarities, leading some to speculate about potential connections between the two actors.
UAT-9244's primary objective appears to be to compromise critical telecommunications infrastructure in South America. This campaign targets Windows and Linux systems as well as edge devices, utilizing three distinct implants: TernDoor, PeerTime, and BruteEntry. The attack chains employed by UAT-9244 are complex and involve multiple stages, including the initial access method, which remains unknown.
TernDoor is a Windows-based implant that leverages DLL side-loading to launch a rogue DLL named "BugSplatRc64.dll." This backdoor establishes persistence on the host through scheduled tasks or Registry Run keys and exhibits differences with CrowDoor by utilizing distinct command codes and embedding a Windows driver to suspend, resume, and terminate processes.
The TernDoor backdoor also boasts an uninstallation mechanism, allowing UAT-9244 to remove itself from compromised systems. Furthermore, it supports only one command-line switch ("-u") to delete associated artifacts.
On the other hand, PeerTime is a Linux-based implant compiled for multiple architectures, including ARM, AARCH, PPC, and MIPS. This backdoor is deployed via a shell script that checks for the presence of Docker on compromised hosts using specific commands. If Docker is found, it executes the PeerTime loader, which decrypts and decompresses its final payload and runs it directly in memory.
PeerTime comes in two flavors: one written in C/C++ and another programmed in Rust. It employs the BitTorrent protocol to fetch C2 information, download files from peers, and execute them on compromised systems. This backdoor also reports successful logins back to the C2 server.
BruteEntry is an edge device-based implant designed to turn network devices into mass-scanning proxy nodes within Operational Relay Boxes (ORBs). This backdoor contacts a C2 server to obtain IP addresses for performing brute-force attacks on Postgres, SSH, and Tomcat servers. BruteEntry uses a shell script that drops two Golang-based components: an orchestrator and BruteEntry itself.
The orchestrator delivers BruteEntry, which then contacts the C2 server to receive the list of IP addresses to be targeted for brute-force attacks. If successful, BruteEntry reports back to the C2 server with information on whether the login attempt was successful or not.
In conclusion, UAT-9244 represents a sophisticated China-linked APT actor that has been targeting critical telecommunications infrastructure in South America. This campaign showcases the TTPs and techniques employed by UAT-9244, including the use of multiple implants, complex attack chains, and edge device exploitation. As cybersecurity professionals, it is essential to stay informed about emerging threats like UAT-9244 and take proactive measures to protect our networks and systems from such sophisticated attacks.
A new China-linked Advanced Persistent Threat (APT) actor, UAT-9244, has been identified targeting critical telecommunications infrastructure in South America. This article delves into the details of UAT-9244's tactics, techniques, and procedures, providing an in-depth analysis of its sophisticated malware and attack vectors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Comprehensive-Analysis-of-the-UAT-9244-Advanced-Persistent-Threat-Actor-Unveiling-the-Tactics-and-Techniques-Behind-a-China-Linked-Cyber-Espionage-Campaign-ehn.shtml
https://thehackernews.com/2026/03/china-linked-hackers-use-terndoor.html
https://www.reuters.com/world/china/chinese-linked-hackers-use-back-door-potential-sabotage-us-canada-say-2025-12-04/
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
https://www.eset.com/us/about/newsroom/research/cyberespionage-attacks-by-the-china-aligned-famoussparrow-group-in-the-united-states-eset-research-discovers/
Published: Fri Mar 6 04:09:52 2026 by llama3.2 3B Q4_K_M
