China-Linked Hackers Quietly Target Telecom Networks Across South America

Security researchers uncover a long-running cyber espionage campaign using new malware implants across Windows, Linux, and network edge devices

Cybersecurity researchers have identified a China-linked advanced persistent threat (APT) targeting telecommunications infrastructure across South America since 2024. The campaign focuses on gaining long-term access to telecom networks by deploying specialized malware across multiple operating systems and network devices.

The activity is being tracked by Cisco Talos under the name UAT-9244, a threat cluster believed to be closely associated with the previously known espionage group FamousSparrow.

Researchers say the group’s tactics show similarities to Salt Typhoon, another China-aligned threat actor known for targeting telecommunications providers. However, investigators have not yet confirmed a direct operational link between the groups.

New Malware Implants Discovered

During their investigation, researchers discovered three previously undocumented implants designed to compromise different parts of telecom infrastructure.

ImplantTarget SystemPurposeTernDoorWindows serversRemote access and command executionPeerTime (angrypeer)Linux systemsPeer-to-peer backdoor communicationBruteEntryNetwork edge devicesMass scanning and brute-force attacks

These tools allow attackers to maintain persistent access and move laterally within networks.

Windows Backdoor: TernDoor

The Windows implant TernDoor is delivered using a technique known as DLL side-loading.

Attackers abuse a legitimate executable (wsprint.exe) to load a malicious DLL (BugSplatRc64.dll), which decrypts and launches the backdoor directly in memory.

Once active, the malware can:

Create new processes
Execute arbitrary commands
Read and write files
Collect system information
Install drivers to hide malicious components

TernDoor also establishes persistence using scheduled tasks or Windows registry run keys, allowing attackers to survive system reboots.

Linux Backdoor: PeerTime

Researchers also discovered a Linux backdoor called PeerTime, designed to infect a wide range of systems including embedded devices.

The malware supports multiple architectures such as:

ARM
AARCH
PPC
MIPS

The loader decrypts and executes the payload in memory, allowing the malware to avoid leaving obvious artifacts on disk.

Unlike traditional backdoors, PeerTime uses the BitTorrent protocol to communicate with command-and-control servers and download additional payloads.

This peer-to-peer design helps attackers hide their infrastructure and makes detection more difficult.

Edge Device Malware: BruteEntry

The campaign also includes a tool called BruteEntry, which targets network edge devices such as routers and servers.

Once installed, the malware converts compromised systems into Operational Relay Box (ORB) nodes, allowing attackers to launch large-scale brute-force attacks.

The tool attempts to crack credentials for services such as:

PostgreSQL databases
SSH servers
Apache Tomcat

Successful logins are then reported back to attacker-controlled infrastructure.

Possible Initial Access Methods

Although researchers have not confirmed the exact entry point used in the campaign, previous activity linked to the group suggests exploitation of:

Outdated Windows Server installations
Vulnerable Microsoft Exchange Server systems
Web shell deployment on exposed servers

These vulnerabilities allow attackers to establish a foothold before deploying malware implants.

Telecommunications Remain a Strategic Target

Telecommunications providers remain highly attractive targets for cyber espionage operations because they control large volumes of sensitive communications and infrastructure.

By infiltrating telecom networks, attackers may gain the ability to:

Monitor communications traffic
Track individuals or organizations
Collect strategic intelligence
Pivot into other critical sectors

Security researchers warn that such campaigns often aim for long-term intelligence gathering rather than immediate disruption.

Security Recommendations

Organizations operating telecommunications infrastructure should take steps to reduce exposure to advanced threats:

Patch and update Windows Server and Exchange systems
Monitor for DLL side-loading activity
Detect unusual scheduled tasks or registry persistence
Inspect Linux systems for unknown ELF binaries
Monitor edge devices for brute-force scanning activity

Continuous monitoring and threat intelligence integration remain essential to detect advanced persistent threats.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

China-Linked Hackers Quietly Target Telecom Networks Across South America