By rssfeeds-admin .webp?ssl=1 "China-Nexus Hackers Attacking Telecommunication Providers With New Malware")
The group, tracked as UAT-9244, operates against both Windows and Linux-based endpoints, as well as network edge devices — the embedded hardware that telecom providers depend on to route and manage communications.
What makes this campaign stand out is not just who is targeted, but how methodically the attackers built a toolkit to compromise, persist, and expand their reach.
UAT-9244’s arsenal consists of three malware tools, each purpose-built for a different role. TernDoor is a Windows backdoor and a new variant of the previously documented CrowDoor malware.
PeerTime is a Linux-based backdoor that leverages the BitTorrent protocol to communicate and execute tasks on infected systems — an unusual approach that lets malicious traffic blend in with regular peer-to-peer activity on the network.
The third tool, BruteEntry, transforms compromised edge devices into Operational Relay Boxes (ORBs), which are directed to brute-force SSH, PostgreSQL, and Apache Tomcat servers, giving the attackers a constantly expanding foothold.
Cisco Talos researchers identified UAT-9244 and assessed with high confidence that the group closely overlaps with FamousSparrow and Tropic Trooper, two known China-nexus APTs.
This conclusion is based on shared tooling, overlapping tactics, and similar victim targeting across all three groups. TernDoor traces its lineage back through CrowDoor to SparrowDoor, a backdoor long attributed to FamousSparrow.
Additionally, the PeerTime instrumentor binary contains debug strings written in Simplified Chinese, providing a strong linguistic indicator that ties the campaign directly to Chinese-speaking threat operators.
The scope of this operation is significant for the telecommunications sector. Talos researchers found a shared SSL certificate linked to 18 IP addresses likely used by UAT-9244’s command-and-control infrastructure, revealing a broad and well-resourced network.
While both UAT-9244 and the separately tracked Salt Typhoon target telecom providers, Talos has not confirmed a direct connection between the two groups.
Even so, the pattern of multiple China-aligned actors focusing on telecom infrastructure highlights how valuable these networks are for state-sponsored intelligence collection.
TernDoor’s Infection Chain and Persistence Tactics
TernDoor’s deployment begins with DLL side-loading, where a benign Windows executable named wsprint.exe is used to load a malicious file called BugSplatRc64.dll.
This loader reads an encoded file from disk and decrypts it using the hardcoded key qwiozpVngruhg123, then executes the resulting shellcode entirely in memory, as shown in.
Running the payload in memory rather than writing it to disk lets the attacker sidestep file-based detection methods that security tools traditionally rely on.
Once active, the shellcode decompresses and launches TernDoor, which is injected into the legitimate Windows process msiexec.exe — a deliberate choice to conceal its presence within routine system behavior.
The implant then decodes its internal configuration, which holds the C2 IP address, retry count, port number, and a custom User-Agent string for outbound communication.
From this point, TernDoor can execute remote commands, read and write files, collect system details, and communicate back to its operator.
To survive reboots, TernDoor creates a scheduled task named “WSPrint” and then alters registry keys tied to that task to hide it from standard system views.
It also sets a Registry Run key to restart the malware at every user login, maintaining two separate persistence pathways simultaneously. TernDoor additionally drops a Windows driver named WSPrint.sys and activates it as a system service.
This driver creates a virtual device that TernDoor uses to suspend, resume, or terminate processes — a direct method for disabling active security tools on the same machine.
Security teams should audit scheduled tasks and Registry Run keys for unauthorized entries, watch for DLL side-loading events in application directories, and restrict unsigned kernel driver execution.
Blocking known UAT-9244 C2 IP ranges and deploying ClamAV signatures — including Win.Malware.TernDoor, Unix.Malware.BruteEntry, and Unix.Malware.PeerTime — alongside SNORT rule SID 65551, is strongly advised for protecting telecommunications infrastructure from this threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post China-Nexus Hackers Attacking Telecommunication Providers With New Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.