Overview
- Cisco Talos reports that UAT-9244 has targeted telecommunications providers in South America since 2024, compromising Windows, Linux, and network-edge devices.
- The toolkit includes TernDoor, a Windows backdoor delivered via DLL side-loading using wsprint.exe and BugSplatRc64.dll, with an embedded driver (WSPrint.sys) and persistence through scheduled tasks or Registry keys.
- PeerTime is an ELF peer-to-peer backdoor compiled for ARM, AARCH, PPC, and MIPS with C/C++ and Rust variants, using the BitTorrent protocol for C2, in-memory execution, process renaming, and an instrumentor with Simplified Chinese debug strings that checks for Docker.
- BruteEntry deploys on edge devices via Go-based components to create Operational Relay Boxes that mass-scan networks and brute-force SSH, Postgres, and Tomcat, sending login results to a command-and-control server.
- Talos assesses close associations with FamousSparrow and Tropic Trooper yet tracks UAT-9244 as a distinct cluster, finds no conclusive tie to Salt Typhoon or a confirmed initial access method, and releases indicators of compromise for defenders.