New China-Linked Threat Actor 'UAT9244' Targets South American Telecoms with Custom Malware

China-Linked Group UAT9244 Targets South American Telecoms with New Malware Suite

HIGH
March 9, 2026
March 10, 2026
5m read
Threat ActorThreat IntelligenceCyberattack

Related Entities(initial)

Threat Actors

UAT9244

Other

TernDoorPeerTimeBruteEntry

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1543.003Persistence

Create or Modify System Process: Windows Service

T1110.001Credential Access

Password Guessing

T1041Exfiltration

Exfiltrate Data Over C2 Channel

T1071.001Command and Control

Web Protocols

Full Report(when first published)

Executive Summary

Security researchers have identified a sophisticated cyber-espionage campaign targeting telecommunications providers in South America. The activity is attributed to a newly designated, suspected China-linked threat actor, UAT9244. The campaign is characterized by its use of a novel, custom malware toolkit designed for long-term persistence and intelligence gathering. The toolkit includes multiple backdoors—TernDoor, PeerTime, and BruteEntry—enabling the attackers to maintain a covert presence within the critical telecom networks. This operation underscores the strategic importance of the telecommunications sector to nation-state actors for conducting surveillance and collecting sensitive intelligence.

Threat Overview

The primary objective of UAT9244 appears to be long-term espionage. By compromising telecommunications providers, a nation-state actor can gain access to vast amounts of data, including call detail records, internet traffic, and sensitive customer information. This access can be used to monitor dissidents, track foreign officials, or gather economic intelligence.

The group's custom malware toolkit demonstrates a significant investment in developing tools to evade detection:

  • TernDoor: A backdoor likely used for initial access and establishing a C2 channel.
  • PeerTime: This implant may have capabilities for lateral movement or peer-to-peer C2 communications to make the network traffic harder to trace.
  • BruteEntry: The name suggests this tool could be used for brute-forcing credentials on internal systems to expand the attackers' foothold within the network.

The use of a multi-component, undocumented malware suite indicates that UAT9244 is a capable and well-resourced threat actor, consistent with state sponsorship.

Technical Analysis

The attack likely follows a classic APT lifecycle:

  1. Initial Access: APTs targeting telecoms often use spear phishing (T1566 - Phishing) targeting network engineers or exploiting vulnerabilities in internet-facing network management systems (T1190 - Exploit Public-Facing Application).
  2. Execution & Persistence: The TernDoor backdoor is deployed to establish a foothold. Persistence is achieved through techniques like creating a new service (T1543.003 - Create or Modify System Process: Windows Service) or a scheduled task (T1053.005 - Scheduled Task/Job: Scheduled Task).
  3. Privilege Escalation & Discovery: The attackers would seek to escalate privileges to gain administrative control over key systems like billing servers, subscriber databases, and network gateways.
  4. Lateral Movement: The BruteEntry tool could be used to crack credentials for other systems, allowing the attackers to move laterally across the network. PeerTime might be used to pivot between compromised hosts within the network.
  5. Collection & Exfiltration: Once they have access to critical systems, the attackers can begin collecting data of interest. Exfiltration would be done stealthily over a long period to avoid detection, likely using encrypted C2 channels (T1041 - Exfiltrate Data Over C2 Channel).

Impact Assessment

  • National Security Risk: The compromise of a national telecommunications provider poses a grave national security risk. It allows a foreign power to monitor government communications, track military and intelligence personnel, and gain insight into a country's infrastructure.
  • Economic Espionage: The attackers can steal sensitive business information from corporate customers of the telecom provider, giving Chinese companies a competitive advantage.
  • Widespread Surveillance: The threat actor could potentially monitor the communications of millions of private citizens and residents.
  • Infrastructure Disruption: While the current focus is espionage, the access gained could be leveraged for disruptive purposes in the future, such as shutting down communications services during a crisis.

Cyber Observables for Detection

Detecting this custom malware requires behavioral analysis and threat hunting:

Type
process_name
Value
Unsigned executables running from unusual directories
Description
Look for any unknown or unsigned binaries running in directories like C:\ProgramData\ or C:\Temp\.
Type
network_traffic_pattern
Value
Encrypted traffic to non-standard ports or unknown IPs
Description
Monitor for persistent, low-and-slow C2 traffic from critical servers to unfamiliar IP addresses.
Type
log_source
Value
Authentication Logs
Description
A high rate of failed logins from a single internal source host could indicate the BruteEntry tool in action.
Type
file_name
Value
terndoor.dll, peertime.exe
Description
Specific filenames associated with the malware toolkit, if they can be identified.

Detection & Response

  1. Network Traffic Analysis: Given the target, analyzing NetFlow and DNS traffic is critical. Look for anomalous patterns, such as internal servers communicating with external IPs for the first time or using non-standard protocols. This is a core function of Network Traffic Analysis (D3-NTA).
  2. Endpoint Behavioral Analysis: Deploy EDR on critical servers to detect suspicious behaviors like process injection, credential dumping, and the execution of unsigned code. This aligns with Process Analysis (D3-PA).
  3. Threat Intelligence Integration: Integrate threat intelligence feeds that track Chinese APT activity into your SIEM and security controls to get early warning of known IOCs and TTPs.

Mitigation

  • Network Segmentation: Vigorously segment networks. Core network infrastructure (e.g., SGSN, GGSN in a mobile network) should be highly isolated from IT and corporate networks.
  • Privileged Access Management (PAM): Strictly control and monitor access to critical systems. All administrative access should require MFA and be logged and reviewed.
  • Patch Management: Telecoms run a wide variety of network equipment and software. A rigorous patch management program is essential to reduce the attack surface.
  • Application Whitelisting: On critical servers, use application whitelisting to prevent the execution of any unauthorized software, including the custom malware used by UAT9244. This is a key part of Executable Allowlisting (D3-EAL).

Timeline of Events

1
March 9, 2026
This article was published

Article Updates

March 10, 2026

New details on UAT-9244's campaign reveal it's active since 2024, overlaps with FamousSparrow, and uses platform-specific malware with advanced C2 techniques like BitTorrent.

Update Sources:
stratosally.comChina-Linked Hackers Target South American Telecom Networks With New Malware Tools
acronis.comMSP cybersecurity news digest, March 9, 2026

MITRE ATT&CK Mitigations

Network Segmentation

M1030enterprise

Strictly segment telecommunications network infrastructure from corporate IT environments to prevent lateral movement.

Privileged Account Management

M1026enterprise

Heavily restrict and monitor administrative access to critical network elements and servers.

Execution Prevention

M1038enterprise

Use application control on critical servers to prevent unknown malware from executing.

Network Intrusion Prevention

M1031enterprise

Deploy network monitoring to detect anomalous traffic patterns indicative of C2 communications or lateral movement.

Sources & References(when first published)

MSP cybersecurity news digest, March 9, 2026
Acronis (acronis.com) March 9, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

APTChinaEspionageTelecommunicationsMalwareUAT9244

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.