Cisco Talos says a China-nexus threat actor it tracks as UAT-9244 has targeted telecommunications providers in South America since at least 2024, using a toolkit that includes the TernDoor and PeerTime backdoors and a scanner Talos calls BruteEntry. The researchers said the actor maintained access across Windows, Linux, and edge devices, giving it multiple options for persistence inside victim environments.
According to Cisco Talos’ report, the activity overlaps with tradecraft previously associated with Chinese state-linked intrusion sets targeting telecom infrastructure. Talos said UAT-9244 focused on obtaining long-term access to provider networks and used a mix of custom malware, valid accounts, remote administration tools, and living-off-the-land techniques to move laterally after the initial compromise.
“The actor demonstrated a clear interest in long-term, multi-platform persistence within telecom environments.” — Cisco Talos
TernDoor and PeerTime gave the actor cross-platform persistence
Talos said TernDoor is a backdoor used to establish remote access on both Windows and Linux systems, while PeerTime provides an additional persistence and command-and-control layer. The researchers said the actor deployed the malware after gaining footholds in telecom environments, then used it to retain access, execute commands, and support follow-on intrusion activity.
The report also describes BruteEntry as a network-scanning tool used by UAT-9244 to probe internet-facing infrastructure and identify potential paths deeper into targeted networks. Talos said the actor paired the malware with valid credentials and remote management access, allowing it to blend malicious activity with legitimate administrative traffic.
Talos tied the activity to South American telecom intrusions
Cisco Talos said UAT-9244 targeted telecommunications providers in South America, a sector that remains strategically valuable because provider networks can expose subscriber information, support interception operations, and provide access to broader regional infrastructure. The researchers said the campaign demonstrates continued interest by China-linked actors in telecom targets outside the United States and Europe.
Talos did not publicly name the affected providers in the report, but said the actor’s intrusion set shows a consistent focus on stealth, persistence, and long-term access. The findings add to Cyberwarzone’s recent coverage of FortiGate appliances being used as entry points for deeper enterprise compromise and broader tracking of cross-border cyber operations affecting critical digital infrastructure.
