Chinese State Hackers Target Telcos with New Malware Toolkit

The emergence of UAT‑9244 reflects a strategic shift in Chinese state‑sponsored cyber activity toward the backbone of communications networks. By focusing on telecom operators in South America, the group exploits a region where security maturity varies and supply‑chain exposure is high. The linkage to known clusters such as FamousSparrow and Tropic Trooper suggests shared resources and expertise, yet the distinct tooling indicates a dedicated effort to infiltrate network‑edge devices that manage massive data flows.

Technical analysis reveals a sophisticated toolkit designed for persistence and stealth. TernDoor’s DLL side‑loading via the legitimate wsprint.exe binary bypasses many heuristic detections, while its embedded driver enables granular process control. PeerTime’s cross‑architecture ELF binaries, written in both C/C++ and Rust, broaden the attack surface to include ARM, AARCH, PPC, and MIPS platforms common in telecom hardware. Its BitTorrent‑based command‑and‑control channel complicates traffic analysis, as peer traffic blends with legitimate file‑sharing patterns. BruteEntry transforms compromised assets into Operational Relay Boxes, automating credential‑spraying against SSH, Postgres, and Tomcat services, thereby amplifying the threat’s reach.

For defenders, the disclosure of indicators of compromise by Cisco Talos offers a critical early‑warning capability. Organizations should prioritize monitoring for anomalous DLL loading, unexpected ELF processes, and outbound BitTorrent traffic from network‑edge devices. Implementing strict application whitelisting, regular firmware updates, and network segmentation can reduce the attack surface. The broader implication is a reminder that state‑backed actors are investing in custom malware to compromise essential services, making proactive threat‑intel sharing and robust cyber‑hygiene indispensable for the telecom sector.