Cisco Talos links the activity cluster to China-nexus tooling, including CrowDoor variants and ORB-style proxy infrastructure
Telecommunications, China-nexus, cyberespionage, backdoors, ORBs, Linux implants, DLL side-loading
Metadata
- Affected sector: Telecommunications service providers (South America)
- Activity type: Cyberespionage and long-term access tooling
- Platforms: Windows endpoints, Linux endpoints, network edge devices
- Exploitation status: Observed in targeted intrusions (activity reported since 2024)
- Attribution: High confidence China-nexus cluster “UAT-9244” (Cisco Talos); no confirmed link to Salt Typhoon
- Confidence level: High (core reporting), Medium (broader ecosystem context)
Executive Summary
Cisco Talos reports that a China-nexus threat actor tracked as UAT-9244 has targeted South American telecommunications providers since 2024 using three previously undocumented malware families: TernDoor (Windows), PeerTime (Linux) and BruteEntry (brute-force scanner for ORB proxying). The toolset blends endpoint compromise with footholds on network edge devices, then expands reach using scanning and credential brute forcing against common enterprise services. Talos assesses with high confidence that UAT-9244 is closely associated with FamousSparrow and Tropic Trooper based on overlap in tooling, TTPs and victimology, while noting it could not establish a solid connection to Salt Typhoon. The campaign matters now because it demonstrates continued investment in telecom compromise tradecraft, including P2P C2 on Linux and ORB-style infrastructure that can complicate attribution and IOC-based blocking.
Primary reporting: the Cisco Talos technical report and BleepingComputer’s coverage.
- Cisco Talos: UAT-9244 targets South American telecommunication providers with three new malware implants
- BleepingComputer: Chinese state hackers target telcos with new malware toolkit
Context
Talos positions UAT-9244 as a China-nexus APT cluster operating against critical telecommunications infrastructure in South America, spanning Windows, Linux and edge devices. In its analysis, Talos links the actor to FamousSparrow and Tropic Trooper, and describes TernDoor as a new variation of CrowDoor, a backdoor family previously discussed in China-aligned intrusion reporting. Talos explicitly notes that although UAT-9244 and Salt Typhoon share a telco targeting profile, it could not verify a strong connection between the clusters.
- Cisco Talos: UAT-9244 report
- For additional FamousSparrow context and public reporting on group relationships, see: ESET Research press release on FamousSparrow activity
Technical Analysis
TernDoor (Windows backdoor)
Talos describes a multi-stage chain that uses DLL side-loading: a benign executable wsprint.exe loads a malicious loader BugSplatRc64.dll, which reads and decrypts a payload file WSPrint.dll and executes the final implant in memory. The loader decodes content using a hard-coded key (qwiozpVngruhg123). TernDoor is reported to be deployed via injection into msiexec.exe and includes an embedded Windows kernel driver (WSPrint.sys) to terminate, suspend and resume processes (likely for evasion and control). Persistence is achieved via scheduled tasks (“WSPrint”) and/or Registry Run key modification, with additional registry changes used to hide the scheduled task.
- Cisco Talos: TernDoor infection chain and persistence details
- BleepingComputer summary of TernDoor behaviour
PeerTime (Linux backdoor with BitTorrent C2)
PeerTime is an ELF backdoor compiled for multiple architectures (Talos cites ARM, AARCH, PPC, MIPS), suggesting use on embedded/network devices as well as servers. Talos reports two implementations (older C/C++, newer Rust), with an “instrumentor” binary containing Simplified Chinese debug strings. PeerTime uses the BitTorrent protocol for C2 and for downloading payloads from peers, and it uses BusyBox to write files on the host. Talos also notes PeerTime is known as “angrypeer” in VirusTotal configuration tracking.
BruteEntry (brute-force scanner used to build ORB proxy nodes)
Talos reports BruteEntry is deployed to convert compromised systems, especially network edge devices, into scanning nodes and proxy infrastructure (Operational Relay Boxes, ORBs). The malware registers an agent with a C2 server, requests tasking (lists of targets) and brute forces SSH, Postgres, and Tomcat Manager endpoints, posting results back to C2 with status and notes. This aligns with a broader trend in China-nexus operations that use ORB networks to raise defender cost by cycling infrastructure and obscuring traffic origin.
- Cisco Talos: BruteEntry workflow and target services
- Google Cloud (Mandiant): ORB networks and “IOC extinction” in China-nexus operations
Impact Assessment
Likely impact (high confidence):
- Sustained access to telecom environments across Windows, Linux, and edge layers, enabling internal reconnaissance, credential access via brute forcing, and potential interception or surveillance of telecom-adjacent systems.
- Increased difficulty of containment when ORB-style proxying and rapidly changing infrastructure are used, reducing the shelf life of IP-based blocks.
Unknowns (explicitly not disclosed in public reporting):
- Initial access vectors and any exploited vulnerabilities were not specified by Talos or BleepingComputer in the referenced reporting.
- Public victim counts and confirmed data theft were not provided in the source material.
Threat Intelligence Context
Talos assesses UAT-9244 is closely associated with FamousSparrow and Tropic Trooper, while not confirming ties to Salt Typhoon despite overlapping telco victimology. ESET has separately discussed how public reporting can conflate China-aligned clusters and has argued for distinguishing FamousSparrow from other named groupings in some cases, underlining ongoing attribution ambiguity in telecom intrusions.
- Cisco Talos: association with FamousSparrow and Tropic Trooper, no solid Salt Typhoon link
- ESET: FamousSparrow research and discussion of public conflation
MITRE ATT&CK mapping (reported behaviours)
| Tactic | Technique ID | Technique | Observed behaviour (from reporting) |
|---|---|---|---|
| Execution | T1059 | Command and Scripting Interpreter | Remote shell and command execution via backdoor capabilities (TernDoor). |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | “WSPrint” scheduled task used for persistence (TernDoor). |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder | Registry Run key persistence noted by Talos (TernDoor). |
| Defence Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading | wsprint.exe used to side-load malicious DLL (TernDoor loader). |
| Defence Evasion | T1055 | Process Injection | Payload execution in memory and injection into msiexec.exe described by Talos. |
| Defence Evasion | T1014 | Rootkit | Embedded Windows driver (WSPrint.sys) used for process control and likely evasion. |
| Command and Control | T1071.004 | Application Layer Protocol: DNS (closest fit for named protocol families is limited) | PeerTime uses BitTorrent for C2-style peer communications (Talos). |
| Command and Control | T1090 | Proxy | ORB-style proxy/scanning nodes described for BruteEntry deployments. |
| Credential Access | T1110 | Brute Force | BruteEntry brute forces SSH, Postgres, and Tomcat Manager (Talos). |
| Reconnaissance | T1595 | Active Scanning | BruteEntry nodes scan for new targets (Talos). |
Note: MITRE ATT&CK does not have a BitTorrent-specific technique; PeerTime’s use of a peer-to-peer protocol is captured at a higher level based on ATT&CK’s available taxonomy.
Indicators of Compromise
The following IOCs are taken from Cisco Talos reporting. Where Talos lists large sets of hashes, this table includes a representative subset plus key infrastructure. For the full list, refer to the Talos report.
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| SHA-256 | 711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289 | TernDoor loader DLL | Cisco Talos IOC section | High |
| SHA-256 | A5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3 | Encoded TernDoor payload | Cisco Talos IOC section | High |
| SHA-256 | 2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538 | Windows driver (WSPrint.sys) | Cisco Talos IOC section | High |
| IP:Port | 154[.]205[.]154[.]82:443 | TernDoor C2 | Cisco Talos IOC section | High |
| IP:Port | 207[.]148[.]121[.]95:443 | TernDoor C2 | Cisco Talos IOC section | High |
| IP | 212[.]11[.]64[.]105 | Hosted DLL loader and observed infrastructure; also listed under BruteEntry infra | Cisco Talos IOC section | High |
| Domain | bloopencil[.]net | PeerTime C2 | Cisco Talos IOC section | High |
| IP | 185[.]196[.]10[.]38 | PeerTime C2 | Cisco Talos IOC section | High |
| Domain | xtibh[.]com | PeerTime remote location | Cisco Talos IOC section | High |
| Domain | xcit76[.]com | PeerTime remote location | Cisco Talos IOC section | High |
| IP | 185[.]196[.]10[.]247 | PeerTime remote location and BruteEntry infrastructure | Cisco Talos IOC section | High |
| SHA-256 | 66bdce93de3b02cf9cdadad18ca1504ac83e379a752d51f60deae6dcbafe4e31 | BruteEntry agent | Cisco Talos IOC section | High |
| SSL fingerprint (SHA-256) | 0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8 | SSL cert fingerprint associated with discovered TernDoor C2 IPs (per Talos) | Cisco Talos infrastructure notes | Medium |
Detection and Response Guidance
Immediate hunting priorities (telcos and MSSPs)
Windows (TernDoor)
- Hunt for DLL side-loading artefacts in the described chain:
wsprint.exe,BugSplatRc64.dll,WSPrint.dll, and files underC:\ProgramData\WSPrint\(as described by Talos). - Check for a scheduled task named WSPrint, and for attempted task-hiding behaviour via TaskCache registry modifications described by Talos.
- Enumerate and validate kernel drivers and services for WSPrint.sys and suspicious device names consistent with the report.
Linux and edge devices (PeerTime, BruteEntry)
- Look for unusual multi-architecture ELF payloads and installer scripts consistent with Talos IOCs.
- Monitor for unexpected use of BusyBox for file writes/copies in contexts where BusyBox is not typically used operationally.
- Inspect edge devices for signs of being repurposed as scanning/proxy nodes, including outbound scanning patterns and repeated authentication attempts against SSH, Postgres and Tomcat Manager endpoints.
Network
- Block and alert on outbound connections to Talos-listed C2 IPs/domains and investigate any historical communications, with the caveat that ORB-style infrastructure can rotate quickly.
Vendor detections noted in reporting
Talos states coverage via ClamAV signatures and a Snort SID for this activity (including Win.Malware.TernDoor, Unix.Malware.PeerTime, Unix.Malware.BruteEntry, and Snort SID 65551). Validate availability in your environment and map to your tooling equivalents.
Mitigation Recommendations
- Treat edge devices as first-class incident scope. Include routers, gateways, and Linux appliances in containment plans, not only Windows endpoints.
- Harden remote management services (SSH, Postgres admin access, Tomcat Manager): enforce MFA where possible, restrict by IP allowlists, disable unused interfaces, and remove default or weak credential paths.
- Segment and monitor telecom management networks with explicit egress controls and anomaly detection for P2P-like traffic patterns that could indicate BitTorrent-based C2.
- Assume short IOC half-life where ORB-style infrastructure is suspected. Prioritise behaviour-based detections (process ancestry for side-loading, task/registry persistence changes, brute-force telemetry) over static IP blocks alone.
Further Reading
- Cisco Talos technical report on UAT-9244, TernDoor, PeerTime and BruteEntry
- BleepingComputer coverage of the UAT-9244 telecom targeting
- Google Cloud (Mandiant) on ORB networks in China-nexus cyber espionage
- ESET Research press release: FamousSparrow activity and public reporting context