New Cyber Espionage Campaign Targets Telecom Infrastructure
Security researchers have identified a cyber-espionage campaign believed to be carried out by a China-linked hacking group that has been infiltrating telecommunications networks in South America since 2024.
The operation, tracked by security analysts as UAT-9244, has been observed attacking both Windows and Linux systems, along with network edge devices. Investigators say the group is deploying multiple previously unknown malware tools to maintain access to targeted systems.
The activity was uncovered by researchers at Cisco Talos, who note that the tactics used in the campaign share similarities with those of another espionage group known as FamousSparrow.
Possible Connection to Other Chinese Espionage Groups
FamousSparrow has previously been linked to cyber operations targeting telecom providers and other strategic industries.
Security experts have also found overlapping tactics between this activity and operations associated with Salt Typhoon, another China-linked threat group known for attacking telecommunications infrastructure.
However, researchers emphasize that there is currently no direct evidence confirming that UAT-9244 and Salt Typhoon are the same group.
Three New Malware Implants Discovered
During the investigation, analysts discovered three different malware implants used in the campaign. Each one is designed to target a specific type of system.
The implants include:
- TernDoor – a backdoor designed for Windows systems
- PeerTime – a Linux-based backdoor capable of infecting multiple architectures
- BruteEntry – a tool used to scan and attack internet-facing services through compromised edge devices
Together, these tools allow attackers to maintain long-term access and expand their presence within targeted networks.
Attack Entry Method Still Unknown
Researchers have not yet confirmed how attackers initially gain access to victim systems.
However, previous operations linked to this group involved exploiting unpatched Windows Server and Microsoft Exchange servers to install web shells. These web shells allow attackers to run commands and deploy additional malware.
TernDoor Backdoor Targets Windows Systems
One of the key malware tools identified in the campaign is TernDoor, a Windows backdoor delivered through a technique known as DLL side-loading.
In this method, attackers use a legitimate program called wsprint.exe to load a malicious DLL file named BugSplatRc64.dll. The DLL then decrypts the main malware payload and executes it directly in system memory.
Once installed, TernDoor establishes persistence by creating either:
- A scheduled task, or
- A registry Run entry
The backdoor is capable of performing several actions on infected machines, including:
- Executing commands remotely
- Creating new processes
- Reading and modifying files
- Collecting system information
- Deploying a driver to hide malicious activity
Linux Systems Targeted With PeerTime Backdoor
The attackers are also targeting Linux environments using a backdoor known as PeerTime.
This malware is compiled for several different system architectures, including:
- ARM
- AARCH
- PPC
- MIPS
This allows the attackers to infect a wide range of embedded devices and Linux servers.
PeerTime uses a peer-to-peer communication model, relying on the BitTorrent protocol to retrieve instructions from command-and-control infrastructure and download additional payloads.
Researchers also discovered that some components of the malware contain debug messages written in Simplified Chinese, suggesting that the tools were developed by Chinese-speaking programmers.
Malware Uses Docker Detection Technique
Before activating, the malware checks whether Docker containers are running on the compromised system.
If Docker is present, a special loader decrypts and launches the PeerTime payload directly in memory. The malware can also disguise itself as a legitimate process to avoid detection by security tools.
Edge Devices Used for Large-Scale Scanning
Another tool used in the campaign is BruteEntry, which is installed on compromised edge devices.
This malware transforms infected systems into scanning nodes within a larger attack infrastructure.
Using this setup, attackers can conduct automated brute-force attacks against services such as:
- PostgreSQL databases
- SSH servers
- Apache Tomcat servers
The tool receives lists of target IP addresses from a command-and-control server and attempts to guess login credentials. Successful logins are reported back to the attackers.
Attack Infrastructure Built for Long-Term Operations
Researchers believe the attackers are building a distributed attack infrastructure using compromised systems as relay nodes.
By controlling many infected devices, the group can scan the internet for new targets while hiding the origin of their operations.
This type of infrastructure is often referred to as an Operational Relay Box (ORB) network, which allows threat actors to launch attacks anonymously and maintain persistence across multiple regions.
Telecommunications Remain a Prime Target
Telecommunication networks are a frequent target for state-sponsored hacking groups because they provide access to large volumes of sensitive communications data.
Compromising telecom providers can allow attackers to:
- Monitor communications
- Intercept sensitive information
- Access infrastructure used by governments and businesses
Because of this, telecom companies remain one of the most attractive targets for cyber espionage operations.
Security Experts Urge Organizations to Strengthen Defenses
Security analysts recommend that organizations, especially those in critical infrastructure sectors, strengthen their defenses against these types of attacks.
Recommended security measures include:
- Regularly updating servers and network devices
- Monitoring systems for unusual processes and scheduled tasks
- Restricting administrative access to critical systems
- Deploying network segmentation to limit lateral movement
- Monitoring outbound connections to suspicious command-and-control servers
As global cyber espionage activity continues to rise, organizations operating in strategic industries are increasingly becoming targets for advanced persistent threat groups.