By rssfeeds-admin 
Researchers said the group has attacked critical telecommunications infrastructure in South America and focused on Windows systems, Linux endpoints, and network edge devices. Talos assessed with high confidence that UAT-9244 is closely tied to the China-aligned group Famous Sparrow.
The campaign stands out because it uses three different malware families to expand access and maintain long-term control inside telecom environments.
These tools are named TernDoor, PeerTime, and BruteEntry. Together, they give the attackers remote access, hidden persistence, peer-to-peer control, and the ability to turn compromised devices into scanning and brute-force platforms.
TernDoor and PeerTime Expand Access
TernDoor is a newly observed backdoor and a variant of the previously known CrowDoor malware. Talos found that the attackers used DLL side-loading to launch it.
In this technique, a legitimate executable, wsprint.exe, loads a malicious DLL, BugSplatRc64.dll, which reads and decrypts another file and then runs the final payload in memory.
TernDoor can collect system details, run commands, create processes, read and write files, and connect to a command-and-control server.
It also includes an encrypted Windows driver, WSPrint.sys, that can suspend, resume, or terminate processes. This likely helps the malware avoid detection and interfere with security tools.
For persistence, the attackers used a scheduled task named WSPrint or a Registry Run key to restart the malware after a reboot or login automatically.
Talos also found PeerTime, an ELF-based backdoor designed for Linux and embedded devices across several CPU architectures. PeerTime uses the BitTorrent protocol to exchange command-and-control information, download files, and execute them on infected systems.
Researchers said this gives the malware flexible peer-to-peer communication and supports attacks on a wide range of devices.
Talos noted that some parts of the tool contained Simplified Chinese debug strings, adding to the assessment that Chinese-speaking operators developed or deployed it.
BruteEntry Turns Devices into Attack Nodes
The third tool, BruteEntry, is a Go-based brute-force scanner typically installed on network edge devices. Its role is to convert compromised systems into operational relay boxes, or ORBs.
According to Talos Intelligence research, these ORBs are then used as proxy nodes to scan and brute-force external services such as SSH, Postgres, and Tomcat.
After registering with its command server, BruteEntry receives task lists containing target IP addresses and service types.
It then attempts to use embedded credentials against the targets and reports successful logins back to the command server. This allows the attackers to use infected telecom infrastructure as a platform for broader intrusion activity.
Talos said the activity overlaps with Famous Sparrow and Tropic Trooper in tooling and tactics. However, no confirmed link has been established with Salt Typhoon.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post China-Linked Hackers Target Telecom Providers With New Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.