A China-linked threat actor identified as UAT-9244 has been targeting South American telecommunications infrastructure since late 2024 using specialized malware for Windows, Linux, and edge devices. While the group shares tactical similarities with the espionage cluster Salt Typhoon, researchers have not yet found definitive proof that the two entities are the same.
The cyber espionage campaign utilizes a sophisticated toolkit consisting of three distinct and previously undocumented implants. The Windows-based malware, TernDoor, is accompanied by a Linux implant known as PeerTime and a specialized tool called BruteEntry designed specifically for network edge devices. Although the precise method of initial entry remains unconfirmed, the group is known for exploiting vulnerabilities in outdated Microsoft Exchange and Windows servers to deploy web shells and gain a foothold in target environments.
TernDoor functions as a highly specialized backdoor that the attackers deploy through a technique known as DLL side-loading. By utilizing a legitimate system executable to launch a malicious library, the malware can decrypt and execute its primary payload directly in memory to avoid detection. This specific implant is considered an evolution of earlier malware families like Crowdoor and SparrowDoor, indicating a continuous refinement of the group’s offensive capabilities over the past several years.
Once a system is compromised, TernDoor secures its presence by creating scheduled tasks or modifying registry keys to ensure it remains active after a reboot. The malware distinguishes itself from its predecessors by using a unique set of command codes and incorporating a dedicated Windows driver that allows it to control system processes. This level of kernel-level interaction grants the attackers significant power to suspend or terminate security software and other critical system functions.
To maintain a low profile, the malware includes a specific uninstallation command designed to remove itself and all related forensic traces from the infected host. This focus on stealth, combined with the targeting of high-value telecommunications data, underscores the strategic nature of the campaign. As South American infrastructure remains under pressure, security teams are focusing on identifying the overlaps between these emerging clusters and established state-sponsored espionage groups.
Source: China-Linked Hackers Deploy TernDoor, PeerTime In South American Telecom Attacks