Chinese state hackers target telcos with new malware toolkit

Published:

5 maart 2026 om 23:19:49

Alert date:

6 maart 2026 om 00:01:22

Source:

bleepingcomputer.com

Network Infrastructure, Ransomware & Malware, Critical Infrastructure, Data Breach & Exfiltration

Chinese state-sponsored threat actor UAT-9244 has been conducting a targeted campaign against telecommunication service providers in South America since 2024. The attackers have deployed a new malware toolkit to compromise multiple platform types including Windows and Linux systems as well as network-edge devices. This represents an active advanced persistent threat campaign with significant implications for critical telecommunications infrastructure in the region.

Technical details

UAT-9244 deploys three new malware families: TernDoor (Windows backdoor using DLL side-loading via wsprint.exe, loads malicious BugSplatRc64.dll, injects into msiexec.exe, contains embedded WSPrint.sys driver), PeerTime (Linux ELF backdoor targeting ARM/AARCH/PPC/MIPS architectures, uses BitTorrent protocol for C2 communications, has C/C++ and Rust variants with Simplified Chinese debug strings), and BruteEntry (Go-based brute-force scanner creating Operational Relay Boxes for SSH/Postgres/Tomcat attacks). Persistence achieved via scheduled tasks and Registry modifications.

Mitigation steps:

Use indicators of compromise (IoCs) provided by Cisco Talos to detect and block UAT-9244 attacks early. Monitor for DLL side-loading activities involving wsprint.exe and BugSplatRc64.dll, unusual scheduled tasks and Registry modifications, BitTorrent protocol usage for C2 communications, and brute-force attempts against SSH, PostgreSQL, and Tomcat services.

Affected products:

Windows systems
Linux systems
Network-edge devices
Embedded systems
SSH services
PostgreSQL
Apache Tomcat
Telecommunication infrastructure