Cisco Talos says a China-linked threat actor it tracks as UAT-9244 has targeted telecommunications providers in South America since 2024, using three implants called TernDoor, PeerTime, and BruteEntry across Windows, Linux, and edge devices. Talos described the activity as closely associated with the China-linked cluster known as FamousSparrow.
According to the report, UAT-9244 focused on critical telecommunications infrastructure and used separate implants depending on the platform it had compromised. TernDoor was used on Windows systems, PeerTime targeted Linux hosts, and BruteEntry was deployed on edge devices, giving the attackers coverage across multiple layers of telecom environments.
Talos said the campaign showed an operational pattern consistent with long-term access rather than smash-and-grab disruption. The researchers tied the activity to China-linked espionage based on tooling overlaps, tradecraft, and infrastructure relationships that they say connect UAT-9244 to FamousSparrow.
The South American intrusions add to a broader pattern of telecom-focused cyber espionage that Cyberwarzone has covered before, including the China-linked UNC3886 campaign targeting a Singapore telecom provider and the Volt Typhoon pre-positioning campaign against critical infrastructure.
Talos said the operation has been active since 2024, which indicates the attackers maintained access over an extended period while moving across different device types inside targeted telecom networks. The report did not describe the activity as a ransomware or destructive campaign, but as an espionage operation aimed at persistent access and intelligence collection.
