Ethical Hacking News
Chinese state hackers have been targeting telecommunication service providers in South America since 2024, using a new malware toolkit that combines three previously undocumented families: TernDoor, PeerTime, and BruteEntry. The attackers use these malware tools to gain access to various network-edge devices used in telecom environments, compromising Windows, Linux, and network-edge devices.
The campaign is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster. Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
The attackers are using the malware toolkit to target telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices. The campaign is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster.
The attackers are using the malware toolkit to target telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices. Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
Cyber attackers have been targeting telecommunication service providers in South America since 2024, using a new malware toolkit. The attackers are closely associated with the FamousSparrow and Tropic Trooper hacker groups, but are tracked as a separate activity cluster. The campaign uses three previously undocumented malware families: TernDoor, PeerTime, and BruteEntry. TernDoor is deployed through DLL side-loading, using legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll. PearTime targets multiple architectures (ARM, AARCH, PPC, MIPS) as an ELF Linux backdoor. BruteEntry consists of a Go-based instrumentor binary and a brute-forcing component, used to turn compromised devices into scanning nodes. Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity for detection and blocking. A self-propagating JavaScript worm vandalized pages on Wikipedia, believed linked to the same threat actors as the UAT-9244 campaign.
Chinese state hackers have been targeting telecommunication service providers in South America since 2024, using a new malware toolkit that combines three previously undocumented families: TernDoor, PeerTime, and BruteEntry. According to Cisco Talos researchers, the adversary is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster.
The researchers found that the campaign used TernDoor, a Windows backdoor that is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll. The malware contains an embedded Windows driver, WSPrint.sys, which is used to terminate, suspend, and resume processes. Persistence is achieved via scheduled tasks and Windows Registry modifications, which are also used to hide the scheduled task.
Additionally, TernDoor can execute commands via remote shell, run arbitrary processes, read/write files, collect system information, and self-uninstall. The malware was detected in various telecommunication companies across South America, including Brazil, Chile, and Colombia.
PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS), suggesting it was designed to compromise a broad range of embedded systems and network devices used in telecom environments. The payload is decrypted and loaded in memory, and its process is renamed to appear legitimate.
The attackers also use PeerTime to download and execute payloads from peers using the BitTorrent protocol for command-and-control (C2) communications. BusyBox is used to write files on the host.
Finally, there's BruteEntry, which consists of a Go-based instrumentor binary and a brute-forcing component. Its role is to turn compromised devices into scanning nodes, known as Operational Relay Boxes (ORBs).
The attacker uses the machines running BruteEntry to scan for new targets and brute-force access to SSH, Postgres, and Tomcat. Login attempt results are sent back to the C2 with task status and notes.
Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
In addition to the malware toolkit, Cisco Talos also documented a self-propagating JavaScript worm that vandalized pages on Wikipedia. The worm is believed to be linked to the same threat actors as the UAT-9244 campaign.
The researchers note that while UAT-9244 shares the same target profile as Salt Typhoon, they could not establish a solid connection between the two activity clusters.
Chinese state hackers have been targeting telecommunication service providers in South America since 2024, using a new malware toolkit that combines three previously undocumented families: TernDoor, PeerTime, and BruteEntry. The campaign uses these malware tools to gain access to various network-edge devices used in telecom environments, compromising Windows, Linux, and network-edge devices.
The attackers are closely associated with the FamousSparrow and Tropic Trooper hacker groups, but are tracked as a separate activity cluster. The researchers found that the campaign used three previously undocumented malware families: TernDoor, PeerTime, and BruteEntry.
TernDoor is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll. The malware contains an embedded Windows driver, WSPrint.sys, which is used to terminate, suspend, and resume processes.
PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS), suggesting it was designed to compromise a broad range of embedded systems and network devices used in telecom environments. The payload is decrypted and loaded in memory, and its process is renamed to appear legitimate.
BruteEntry consists of a Go-based instrumentor binary and a brute-forcing component. Its role is to turn compromised devices into scanning nodes, known as Operational Relay Boxes (ORBs).
The attackers use the machines running BruteEntry to scan for new targets and brute-force access to SSH, Postgres, and Tomcat. Login attempt results are sent back to the C2 with task status and notes.
Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
The researchers also documented a self-propagating JavaScript worm that vandalized pages on Wikipedia. The worm is believed to be linked to the same threat actors as the UAT-9244 campaign.
In summary, Chinese state hackers have launched a new malware toolkit targeting telecommunication service providers in South America, using three previously undocumented families: TernDoor, PeerTime, and BruteEntry. The attackers use these malware tools to gain access to various network-edge devices used in telecom environments, compromising Windows, Linux, and network-edge devices.
The campaign is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster. The researchers found that the campaign used three previously undocumented malware families: TernDoor, PeerTime, and BruteEntry.
TernDoor is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll. PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS). BruteEntry consists of a Go-based instrumentor binary and a brute-forcing component.
The attackers use the machines running BruteEntry to scan for new targets and brute-force access to SSH, Postgres, and Tomcat. Login attempt results are sent back to the C2 with task status and notes.
Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
The self-propagating JavaScript worm that vandalized pages on Wikipedia is believed to be linked to the same threat actors as the UAT-9244 campaign.
In conclusion, Chinese state hackers have launched a new malware toolkit targeting telecommunication service providers in South America, using three previously undocumented families: TernDoor, PeerTime, and BruteEntry. The attackers use these malware tools to gain access to various network-edge devices used in telecom environments, compromising Windows, Linux, and network-edge devices.
The campaign is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster. The researchers found that the campaign used three previously undocumented malware families: TernDoor, PeerTime, and BruteEntry.
TernDoor is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll. PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS). BruteEntry consists of a Go-based instrumentor binary and a brute-forcing component.
The attackers use the machines running BruteEntry to scan for new targets and brute-force access to SSH, Postgres, and Tomcat. Login attempt results are sent back to the C2 with task status and notes.
Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
The self-propagating JavaScript worm that vandalized pages on Wikipedia is believed to be linked to the same threat actors as the UAT-9244 campaign.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-State-Hackers-Unleash-Advanced-Malware-Toolkit-on-Telco-Networks-ehn.shtml
Published: Thu Mar 5 17:41:27 2026 by llama3.2 3B Q4_K_M
