Chinese State Hackers Target Telcos with New Malware Toolkit

In a chilling revelation that underscores the escalating cyber warfare between global powers, Cisco Talos researchers have uncovered a sophisticated campaign by Chinese state-backed hackers targeting telecommunications providers across South America. The advanced persistent threat (APT) group, tracked as UAT-9244, has been systematically compromising Windows, Linux, and network-edge devices since 2024, deploying a trio of previously undocumented malware families designed to infiltrate and maintain persistent access to critical telecom infrastructure.

The Digital Battlefield Expands

The telecommunications sector has become ground zero in the invisible war being waged in cyberspace. These networks form the backbone of modern communication, carrying everything from personal phone calls to sensitive government communications. When state-sponsored actors compromise these systems, the implications extend far beyond simple data theft—they gain the ability to intercept communications, disrupt services, and potentially monitor entire populations.

UAT-9244 operates with the sophistication and resources typically associated with nation-state actors. Cisco Talos researchers have linked the group to the notorious FamousSparrow and Tropic Trooper hacker collectives, though they maintain it as a distinct activity cluster. The assessment carries high confidence, based on matching tooling, tactics, techniques, and procedures (TTPs), as well as similar victimology patterns.

While UAT-9244 shares the same target profile as the infamous Salt Typhoon group, researchers couldn’t establish a definitive connection between the two clusters. This suggests either parallel operations by different Chinese state entities or a deliberate effort to compartmentalize cyber operations.

The Three-Pronged Attack: A Closer Look

What makes this campaign particularly concerning is the deployment of three custom-built malware families, each designed for specific environments and purposes. This multi-vector approach demonstrates careful planning and deep understanding of telecom infrastructure.

TernDoor: The Windows Infiltrator

TernDoor represents a masterclass in Windows exploitation. The malware employs DLL side-loading, a technique that abuses legitimate Windows processes to execute malicious code. In this case, the attackers use the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll, which then decrypts and executes the final payload in memory, injected into msiexec.exe.

The sophistication doesn’t stop there. TernDoor includes an embedded Windows driver, WSPrint.sys, which provides low-level system access for terminating, suspending, and resuming processes. This driver-level access allows the malware to operate with elevated privileges, making detection and removal significantly more challenging.

Persistence is achieved through multiple mechanisms, including scheduled tasks and Windows Registry modifications. The attackers even use Registry modifications to hide the scheduled task from standard detection methods. Once established, TernDoor can execute remote shell commands, run arbitrary processes, read and write files, collect system information, and even self-uninstall when necessary—leaving minimal forensic traces.

PeerTime: The Linux Network Infiltrator

PeerTime takes a different approach, targeting Linux-based systems and network devices commonly found in telecom environments. Written as an ELF Linux backdoor, PeerTime supports multiple architectures including ARM, AARCH, PPC, and MIPS, indicating it was designed to compromise a broad range of embedded systems.

The malware exists in two variants: one written in C/C++ and another based on Rust. The presence of Simplified Chinese debug strings in the instrumentor binary provides a clear indicator of its origin. PeerTime’s most distinctive feature is its use of the BitTorrent protocol for command-and-control (C2) communications, allowing it to blend into legitimate peer-to-peer network traffic.

The installation process involves decrypting and loading the payload in memory, then renaming the process to appear legitimate. PeerTime uses BusyBox to write files on the host system and can download and execute payloads from other compromised peers, creating a resilient, distributed network of compromised devices.

BruteEntry: Building the Botnet Army

The final piece of the puzzle, BruteEntry, serves a crucial role in expanding the attacker’s reach. This Go-based malware consists of an instrumentor binary and a brute-forcing component that transforms compromised devices into scanning nodes, known as Operational Relay Boxes (ORBs).

BruteEntry’s primary function is to scan for new targets and brute-force access to commonly used services including SSH, Postgres, and Tomcat. The malware systematically attempts to gain unauthorized access to these services, and successful login attempts are reported back to the C2 server along with task status and notes.

This creates a cascading effect where each compromised device becomes a launching point for further attacks, rapidly expanding the attacker’s footprint across telecom networks. The use of Go for BruteEntry suggests the attackers prioritized cross-platform compatibility and ease of deployment.

The Bigger Picture: State-Sponsored Cyber Operations

This campaign represents more than just another data breach—it’s part of a broader pattern of state-sponsored cyber operations targeting critical infrastructure. Telecommunications networks are particularly attractive targets because they provide visibility into communications traffic, can be used for espionage, and offer potential disruption capabilities during geopolitical conflicts.

The sophistication of the malware, the careful targeting of telecom providers in South America, and the use of multiple custom-built tools all point to significant resources and planning. This wasn’t a opportunistic attack but a carefully orchestrated campaign likely aimed at establishing long-term access to communications infrastructure.

Defending Against the Threat

Cisco Talos has published a comprehensive technical report detailing the capabilities of all three malware families, their deployment methods, and persistence mechanisms. The researchers have also provided indicators of compromise (IoCs) that defenders can use to detect and block these attacks.

Organizations in the telecom sector should be particularly vigilant, implementing the recommended detection and mitigation strategies. This includes monitoring for the specific IoCs provided, implementing network segmentation to limit lateral movement, and maintaining up-to-date security patches on all systems.

The discovery of UAT-9244’s activities serves as a stark reminder that the cybersecurity landscape continues to evolve, with state-sponsored actors developing increasingly sophisticated tools to target critical infrastructure. As our world becomes more connected, the importance of securing these foundational networks cannot be overstated.

Tags: China hacking, telco security, UAT-9244, FamousSparrow, Tropic Trooper, state-sponsored malware, telecommunications security, Cisco Talos, TernDoor, PeerTime, BruteEntry, operational relay boxes, ORBs, DLL side-loading, BitTorrent malware, Linux backdoors, Windows malware, South America cyber attacks, APT groups, cyber warfare, critical infrastructure security

Viral Sentences:

• Chinese hackers unleash triple-threat malware arsenal against South American telcos
• Telecom networks become battleground in escalating cyber cold war
• State-sponsored actors deploy custom-built malware to infiltrate communications backbone
• BitTorrent protocol weaponized for stealthy command-and-control communications
• Operational Relay Boxes transform compromised devices into cyber attack launchpads
• DLL side-loading technique bypasses traditional security measures
• Simplified Chinese debug strings reveal malware origin
• Cross-platform malware targets Windows, Linux, and embedded systems simultaneously
• Scheduled tasks and Registry modifications create near-undetectable persistence
• Go-based brute-forcing tool systematically compromises network services
• Telecom providers in crosshairs of sophisticated nation-state cyber campaign
• Multiple malware families work in concert for maximum infiltration
• Critical infrastructure security becomes paramount as threats evolve
• Advanced persistent threat actors demonstrate unprecedented sophistication
• Cybersecurity researchers uncover hidden campaign targeting communications networks
• Nation-state cyber operations expand beyond traditional espionage targets
• Custom-built malware families signal significant resource investment
• Telecom sector faces growing threat from sophisticated state-sponsored actors
• Detection and mitigation strategies essential for defending critical infrastructure
• Invisible cyber war escalates as state actors target foundational networks

,