Torrent of Threats: China-Nexus APT UAT-9244 Hijacks South American Telecoms with PeerTime Backdoor
Ddos 
Cybersecurity investigators at Cisco Talos have pulled back the curtain on a relentless espionage campaign targeting critical telecommunications infrastructure across South America. Attributed with “high confidence” to a China-nexus advanced persistent threat (APT) actor designated as UAT-9244, the operation has been active since at least 2024, utilizing a sophisticated trio of malware implants to maintain a long-term foothold in victim networks.
UAT-9244 is believed to be closely associated with the known threat group Famous Sparrow, sharing similar targeting patterns and a preference for high-value infrastructure.
The group’s success relies on a diverse set of tools designed for persistence, stealth, and mass-scale scanning.
- TernDoor: This Windows-based backdoor is a new variation of the previously disclosed CrowDoor malware. It is deployed via a multi-stage infection chain that utilizes DLL side-loading—executing a benign file to load a malicious loader, which then decrypts the final payload in memory to evade detection.
- PeerTime: Perhaps the most innovative tool in the arsenal, PeerTime is an ELF-based backdoor that “uses the BitTorrent protocol to conduct malicious operations on an infected system”. By using a legitimate, high-traffic P2P protocol, the group can effectively mask its command-and-control (C2) traffic amidst the noise of standard internet data.
- BruteEntry: Typically installed on network edge devices, this brute-force scanner converts compromised hardware into Operational Relay Boxes (ORBs). These ORBs are used as proxy nodes to launch mass-scanning attacks against SSH, Postgres, and Tomcat servers.
UAT-9244’s strategy focuses on compromising edge devices—the gatekeepers of the network—to facilitate lateral movement.
Once BruteEntry is established on an edge device, it begins systematic brute-force attempts. As the report details, the scanner will “brute force into either a Tomcat server application at the URL ‘https[://]<IP>:<Port>/manager/html’, or will brute force into a Postgres instance”.
Any successful logins harvested by the scanner are then transmitted back to the C2 server, providing the attackers with the credentials needed to move deeper into the telecommunications provider’s core systems.
The focus on South America marks a significant regional campaign for this APT. By targeting telecommunications providers, UAT-9244 gains the ability to potentially monitor sensitive communications, map critical network layouts, and establish a permanent presence on both Windows and Linux-based endpoints.
Talos researchers emphasize that the group’s methodical approach and specialized toolset demonstrate a high level of engineering and operational discipline.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
