A China-linked advanced persistent threat (APT) actor has been targeting critical telecommunications infrastructure in South America since 2024, using three undocumented implants to compromise Windows, Linux and edge devices. The activity is being tracked by Cisco Talos under the moniker UAT-9244, and is described as closely associated with FamousSparrow, with overlaps to Salt Typhoon but no conclusive link stated.
The campaign distributes three implants: TernDoor targeting Windows, PeerTime (aka angrypeer) targeting Linux, and BruteEntry installed on network edge devices. TernDoor is deployed via DLL side-loading using wsprint[.]exe to launch a rogue DLL, while PeerTime is a Linux backdoor that harvested C2 information via a BitTorrent-based mechanism and can run across several architectures. BruteEntry operates from edge devices to brute-force Postgres, SSH and Tomcat servers, reporting successful logins back to its C2.
According to Cisco Talos, the operation includes a Linux P2P backdoor and an instrumentor that checks for Docker before loading PeerTime, with a shell-script delivery chain connected to a brute-force workflow.