Full Report
A China-linked advanced persistent threat (APT) actor has been targeting critical telecommunications infrastructure in South America since 2024, targeting Windows and Linux systems and edge devices with three different implants. The activity is being tracked by Cisco Talos under the moniker UAT-9244, describing it as closely associated with another cluster known as FamousSparrow. It's worth
Analysis Summary
# Threat Actor: UAT-9244
## Attribution & Identity
* **Actor Identification:** UAT-9244 (Cisco Talos moniker).
* **Aliases:** Closely associated with **FamousSparrow**.
* **Known Associations:** Shares tactical overlaps and targeting signatures with **Salt Typhoon** (China-nexus espionage group), though conclusive evidence linking the two is currently unavailable.
* **Origin:** China-linked / Chinese-speaking (evidenced by Simplified Chinese debug strings in custom binaries).
## Activity Summary
UAT-9244 has been active since at least 2024, specifically focusing on critical telecommunications infrastructure. The group conducts sophisticated cyber espionage campaigns characterized by the deployment of undocumented, multi-platform malware targeting Windows, Linux, and edge network devices. Recent activity (November 2024–March 2026) highlights a shift toward using memory-resident implants and peer-to-peer (P2P) infrastructure.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of outdated versions of Windows Server and Microsoft Exchange Server.
* **Web Shell Deployment:** Utilization of web shells for follow-on post-exploitation activity.
* **Persistence:** Use of Scheduled Tasks and Registry Run keys.
* **DLL Side-Loading:** Leveraging legitimate executables (e.g., `wsprint.exe`) to load malicious DLLs (`BugSplatRc64.dll`).
* **Evasion:**
* Injecting malicious code into legitimate processes (e.g., `msiexec.exe`).
* Memory-resident execution of final payloads to avoid disk-based detection.
* Renaming malicious processes to mimic harmless system files.
* Use of custom Windows drivers to suspend/terminate security-related processes.
* **C2 Communication:** Use of BitTorrent (P2P) protocols for C2 parameter extraction and file transfer.
* **Brute Forcing:** Implementation of scanner nodes within Operational Relay Boxes (ORBs).
**MITRE ATT&CK IDs Mentioned/Implied:**
* T1574.002 (DLL Side-Loading)
* T1053.005 (Scheduled Task)
* T1547.001 (Registry Run Keys)
* T1562.001 (Disable or Modify Tools)
* T1059.004 (Unix Shell scripts)
* T1110 (Brute Force)
## Targeting
* **Sectors:** Critical Telecommunications.
* **Geography:** South America.
* **Victims:** Telecom service providers and potentially organizations using edge devices vulnerable to ORB exploitation.
## Tools & Infrastructure
* **Malware Families:**
* **TernDoor:** (Windows) A variant of Crowdoor/SparrowDoor; supports system info collection, file manipulation, and driver deployment.
* **PeerTime (aka angrypeer):** (Linux/Embedded) A P2P backdoor compiled for multiple architectures (ARM, AARCH, PPC, MIPS). Available in C++ and Rust variants.
* **BruteEntry:** (Edge Devices) A Golang-based scanner/proxy used for brute-forcing Postgres, SSH, and Tomcat servers.
* **Infrastructure:**
* **Operational Relay Boxes (ORBs):** Compromised edge devices turned into proxy nodes.
* **C2 Parameters:** Extracted via P2P protocols or decrypted from configuration files.
* **Files:** `wsprint.exe`, `BugSplatRc64.dll`.
## Implications
The targeting of telecommunications infrastructure in South America indicates a strategic espionage objective aimed at intercepting communications or monitoring sensitive data traffic. The use of multi-architecture malware (PeerTime) and the conversion of edge devices into ORBs demonstrates a high level of technical sophistication and a desire for long-term, resilient persistence within victim networks.
## Mitigations
* **Patch Management:** Prioritize patching of public-facing Microsoft Exchange and Windows Servers to prevent initial web shell deployment.
* **Endpoint Monitoring:** Monitor for DLL side-loading (specifically checking `wsprint.exe`) and unexpected `msiexec.exe` activity.
* **Network Security:** Implement egress filtering to detect BitTorrent-based C2 traffic from non-standard systems (e.g., servers and edge devices).
* **Credential Hygiene:** Enforce strong password policies and multi-factor authentication (MFA) on Postgres, SSH, and Tomcat services to defend against BruteEntry.
* **Integrity Checks:** Regularly audit Scheduled Tasks and Registry Run keys for unauthorized persistence mechanisms.