Cybersecurity Threat Advisory: Telecoms targeted with new malware

Home / QSOL IT News / APT / Cybersecurity Threat Advisory: Telecoms targeted with new malware
Cybersecurity Threat Advisory

Cybersecurity Threat AdvisoryA China-linked advanced persistent threat group, tracked as UAT-9244, has been attacking telecommunications service providers in South America since 2024. They have compromised Windows, Linux, and network-edge devices. Talos reports that the campaign has been active since at least 2024, using a mix of Windows and Linux malware across enterprise endpoints and network edge devices. Review this Cybersecurity Threat Advisory to protect your clients’ environment.

What is the threat?

A China‑connected enlarged persistent threat (APT) group, identified as UAT‑9244, is conducting a long‑running cyber‑espionage campaign against telecom providers in South America. The group uses three new custom malware implants (including TernDoor, PeerTime, and BruteEntry) across Windows, Linux, and network‑edge devices to gain deep, persistent access to carrier networks, move laterally, and potentially monitor or disrupt communications.

Why is it noteworthy?

The campaign leverages three previously undocumented malware families:

  • TernDoor is delivered via DLL side‑loading, abusing the legitimate wsprint.exe to load a malicious BugSplatRc64.dll, which decrypts and injects the final payload into msiexec.exe in memory. It includes an embedded Windows driver, WSPrint.sys, to terminate, suspend, and resume processes. Persistence is maintained through scheduled tasks and Registry changes, which also conceal the task. TernDoor supports remote shell command execution, running arbitrary processes, file read/write, system reconnaissance, and self‑uninstallation.
  • PeerTime is an ELF Linux backdoor compiled for multiple architectures (ARM, AARCH, PPC, MIPS), enabling compromise of diverse embedded systems and telecom network devices. Cisco Talos identified two variants—one in C/C++ and one in Rust—with Simplified Chinese debug strings in the instrumentor binary. Its payload is decrypted and run in memory, and the process name is changed to appear benign. As a P2P backdoor, PeerTime uses the BitTorrent protocol for C2, retrieves and executes payloads from peers, and relies on BusyBox to write files to disk.
  • BruteEntry consists of a Go-based instrumentor and a brute-force component that turns infected hosts into scanning nodes, or Operational Relay Boxes (ORBs). These ORBs scan for new targets and attempt to brute-force SSH, PostgreSQL, and Tomcat services, reporting login results, status, and notes back to the C2 server.

What is the exposure or risk?

The primary risk is deep, long‑term compromise of core telecom infrastructure. This gives the China‑linked APT UAT‑9244 high‑privilege access to Windows, Linux, and network‑edge devices that route and manage customer traffic. This exposes the confidentiality and integrity of communications. Attackers could potentially monitor, reroute, or tamper with voice, data, and signaling, as well as sensitive subscriber and corporate. By turning compromised hosts into scanning and brute‑force nodes, the toolkit also enables follow‑on attacks against downstream customers and partners. In addition, the use of DLL side‑loading and BitTorrent‑based P2P command‑and‑control makes detection and eradication difficult. This increases the likelihood of prolonged, stealthy espionage and potential disruption.

What are the recommendations?

Barracuda strongly recommends taking the following actions to mitigate risk:

  • Patch & harden: Ensure telecom devices and servers are updated.
  • Monitor IoCs: Use Cisco Talos’ published indicators of compromise for detection.
  • Network segmentation: Isolate telecom edge devices from core infrastructure.
  • Behavioral monitoring: Watch for BitTorrent traffic anomalies and brute‑force scanning patterns.
  • Incident readiness: Prepare for multi‑platform response — Windows, Linux, and embedded systems.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

This post originally appeared on Smarter MSP.

Related Post

Cybersecurity Threat Advisory: Critical NetScaler ADC and Gateway

Citrix has released security updates to address a critical information disclosure vulnerability affecting NetScaler ADC and NetScaler Gateway. The flaw

Business, Citrix, cybersecurity, Cybersecurity Threat Advisory, Featured, NetScaler, NetScaler ADC, NetScaler Gateway, phishing, Security, Syndicated

How MSPs grow email lists using LinkedIn

Key Takeaways Treat LinkedIn as the top of a list-building strategy, not the destination. Offer practical resources MSP buyers care

building strategy, cybersecurity, email opt, Featured, Ideas, LinkedIn, LinkedIn email list, LinkedIn engagement to email list, LinkedIn list building, List, MSP, MSPs, Sales & Marketing, Security, Syndicated

How MSPs can keep the peace during conflict

When international conflicts arise — and the world has seen no shortage in recent years — organizations of all sizes

Business, cyber threats, cybersecurity, Featured, global conflict, international conflicts, Managed Service Providers, MSPs, organizations, phishing, Security, security frontlines, social engineering, Syndicated

Advancing cyber resilience at scale with BarracudaONE and

Takeaways BarracudaONE strengthens cyber resilience across email, network access, and generative AI with an integrated, easy‑to‑manage platform. New capabilities include

Barracuda, Barracuda Partner Success Program, Barracuda SecureEdge, BarracudaONE, BarracudaONE AI Security, Business, cyber resilience, email protection, Featured, Google, network access, phishing, Security, Syndicated