In the midst of intensifying geopolitical competition in cyberspace, a previously undetected cyberattack linked to China is quietly unfolding across South America's telecommunications industry since 2024.
Cisco Talos researchers have reported that the operation represents a methodical and deeply embedded effort to secure long-term access to core communications infrastructure -- an objective which goes well beyond opportunistic intrusions.
The group is responsible for the UAT-9244 malware, a suite of tools engineered not only for initial compromise but also for durability, stealth, and sustained intelligence collection.
A number of analysts have noted that this campaign's tactics, techniques, and operational overlaps have a strong resemblance to those of Chinese advanced persistent threat actors like Famous Sparrow and Tropic Trooper, suggesting a shared tooling framework, coordination of activities, or a broader strategic alignment.
As a result of this campaign's apparent emphasis on maintaining uninterrupted footholds within telecom environments, which underpin national connectivity, sensitive data flows, and, by extension, elements of sovereign control, are apparent to have been paramount. In embedding themselves within these networks, operators position their capabilities at a crucial vantage point where surveillance, data interception, and disruption can all converge.
According to the findings, telecommunications companies are no longer peripheral targets, but rather are central elements in state-aligned intelligence gathering. This reflects a dramatic shift in modern cyber warfare towards infrastructure-level persistence.
On the basis of these observations, Cisco Talos researchers believe the activity cluster has a strong operational affinity with Famous Sparrow and Tropic Trooper, while remaining sufficiently distinct to qualify for its own classification.
The attribution does not rely on any particular indicator, but instead on a convergence of technical evidence, including shared tooling characteristics, overlapping tactics, techniques, and procedures, as well as a unified victimology focused on telecommunications infrastructure.
A comparison between the targeting profile and campaigns attributed to Salt Typhoon cannot be established without establishing a definitive link, suggesting either parallel operational tracks or compartmentalized tasking within the context of a broad state-aligned actor ecosystem.
In addition to the three previously undocumented malware families in the intrusion set, a variety of newly developed malware families have been specifically developed to provide resilience in heterogeneous telecom environments.
There are several backdoors that are designed for covert persistence and flexible post-exploitation control, including TernDoor.
he malware deploys itself using DLL side-loading, by abusing the legitimate wsprint.exe executable to load the malicious library BugSplatRc64.dll, which, in turn, decrypts and executes the payload directly in memory by injecting it into msiexec.exe, thereby minimizing its forensic impact.
It also includes a kernel-level component, WSPrint.sys, which enables granular manipulation of system processes, such as terminating, suspending, or resuming them, improving evasion as well as operational stability.
A layering of persistence mechanisms is created through scheduled tasks and carefully crafted modifications to the Windows Registry, as well as additional steps taken to obscure these artifacts from routine examination.
Additionally, the malware is capable of performing many operator-controlled actions, including remote shell execution, initiation of arbitrary processes, file system interaction, reconnaissance, and even controlled self-removal, underscoring a level of engineering consistent with long-term intelligence-driven campaigns rather than transient intrusions.
Considering the historical context of this threat landscape further reinforces the assessment of continuity.
It is believed that Famous Sparrow has been operating since at least 2019, consistently targeting sectors such as the hospitality industry, government institutions, international organizations, and legal services, whereas Tropic Trooper has been in business since 2011, concentrating on government entities, transportation systems, and advanced technology industries across a range of regions, including Taiwan, Philippines, and Hong Kong, as well as more recently in the Middle East.
In light of this background, the current campaign's focus on telecommunication networks illustrates a deliberate preference for infrastructure that aggregates vast amounts of sensitive information related to communications, positioning compromised environments as strategic vantage points for the collection of long-term intelligence.
There was a coordinated deployment of three malware families within the intrusions, including TernDoor, PeerTime, and BruteEntry, each designed to fulfil a specific operational role across heterogeneous networks.
Apparently, TernDoor, an implant for Windows, can be traced back to earlier implants like CrowDoor and SparrowDoor, underscoring the iterative nature of the development process within established espionage working groups.
In order to execute the malware, it uses DLL side-loading, by manipulating trusted executables in order to load malicious libraries that decrypt and inject the payload into msiexec.exe, which allows the malware to operate under the guise of legitimate system activity.
Upon establishing the implant, remote command execution, system reconnaissance, and file manipulation are available, while persistence is enhanced by scheduling tasks and registry-based autorun mechanisms designed to avoid routine inspection.
As a result of the malicious kernel driver, the campaign has a greater ability to bypass security controls since it is capable of suspending or terminating processes. Furthermore, PeerTime extends the campaign’s reach to Linux-based infrastructure commonly used in telecom environments, including servers, routers, and embedded systems.
The ELF binary is compatible with multiple architectures including ARM, MIPS, PowerPC, and AArch64 and demonstrates a deliberate effort to maximize operational coverage. As a result of this design choice, it obscures infrastructure dependencies and complicates attribution and detection by utilizing BitTorrent protocol to retrieve instructions and secondary payloads from distributed peers, diverging from conventional command-and-control paradigms.
An embedded debug string in Simplified Chinese within associated binaries serves as an additional linguistic indicator that aligns the activity with Chinese-speaking operators. Additionally, the malware can masquerade as legitimate processes while executing commands and facilitating lateral file transfers between compromised hosts in addition to executing commands.
A third component, BruteEntry, allows for expansion of the threat by transforming compromised edge devices into operational relay boxes that serve as distributed scanning nodes in the event that they are compromised.
By using predefined credential sets, the tool systematically probes exposed services, including SSH, Postgres, and Tomcat, using attacker-controlled infrastructure that receives target lists.
Authentication attempts that are successful are relayed back to command infrastructure, effectively converting compromised systems into contributors within a broader framework of reconnaissance and access acquisition.
As a result of this distributed approach, operators can scale credential harvesting efforts across large address spaces while minimizing the exposure of their core infrastructure to direct exposure.
This study matches a larger pattern of cyberespionage activity targeting global telecommunications providers, which is increasingly recognized as a critical sector for both national security and intelligence.
The scope of Salt Typhoon's campaigns has already been demonstrated with incidents spanning multiple major carriers in the United States and dozens of countries worldwide, and this activity is believed to be continuing into early 2026.
A renewed focus on infrastructure-centric operations aiming to secure enduring access to the world's communications backbones is underscored by the emergence of UAT-9244 and its tailored malware ecosystem.
In further investigation of the Linux-oriented component, it becomes evident that the architecture is intentionally designed to facilitate operation across diverse hardware environments.
PeerTime has been designed to support multiple processor architectures including ARM, MIPS, PowerPC, and AArch64 so it can propagate across a wide range of devices, including routers, network appliances, and embedded systems, that are essential components of modern telecommunications infrastructures.
The deployment of the application is managed by a shell-based installation procedure, which introduces both a loader and a secondary "instrumentor" module, the latter of which facilitates operational management and control of execution.
Typically, when containerization is implemented, particularly when Docker is used, the loader is executed within a container context, a technique aligned with contemporary infrastructure practices but also provides a layer of abstraction, thereby complicating detection and forensic analysis.
Additionally, by utilizing BruteEntry, the campaign is systematically extending its reach beyond initially compromised hosts in parallel to this foothold.
Specifically, Cisco Talos has documented that the tool is specifically designed to convert infected Linux systems especially edge-facing devices into operational relay boxes that can conduct large-scale scanning operations and credential harvesting operations.
Upon deployment, BruteEntry communicates with attacker-controlled command infrastructure, from which it receives dynamically assigned IP addresses for reconnaissance.
This application probes common enterprise and telecommunications services, including SSH endpoints, PostgreSQL databases, and Apache Tomcat management interfaces, using predefined credential sets that are then matched by a structured brute-force approach.
As successful authentication attempts are relayed back to the command infrastructure, attackers are effectively able to pivot laterally and incrementally expand their access across interconnected systems as a consequence.
By using modular tooling coordinated in this way, a deliberate strategy to enhance scalability and persistence can be seen, with each compromised node contributing to an overall reconnaissance and intrusion framework.
Especially significant is the emphasis placed on telecommunication providers, as these entities provide access to vast volumes of sensitive communications and metadata by operating at the convergence of data flow and network control.
Their positioning enables them to act not only as a target of opportunity but also as critical assets in a broader context of state-aligned intelligence gathering, where sustained access can offer both immediate and long-term benefits.
It is important for telecommunications operators to take note of these findings and to reassess their defensive posture in the face of highly persistent, state-sponsored threats designed to disrupt operations for extended periods of time rather than to create short-term disruptions.
In environments where adversaries actively blend into legitimate system processes and take advantage of trusted execution paths, traditional perimeter-based controls are no longer sufficient.
In order to protect critical network assets, a shift is becoming increasingly important toward continuous monitoring, behavior-based threat detection, and rigorous segmentation is needed.
Edge devices are being hardened, credential policies are being enforced, and containerized environments are being audited in particular, since they are emerging as attractive platforms for covert operations.
Additionally, proactive threat hunting and intelligence sharing across sectors are essential, as campaigns of this nature often unfold slowly across multiple jurisdictions and often take a long time to complete.
An organization can improve early detection and limit lateral movement by identifying anomalous activity based on known adversarial patterns and maintaining visibility across Windows and Linux ecosystems.
As a result of the persistence and adaptability demonstrated in this operation, cyberespionage strategy has evolved with silent access to critical infrastructure being prioritized over overt disruption putting the onus on defenders to adopt security frameworks that are equally adaptive and intelligence-driven.
