Starting at 2024, a China-linked hacking group has been quietly picking the locks of telecommunications providers across South America. Cisco Talos researchers recently pulled the curtain back on this operation, which is being run by a group they call UAT-9244. This crew is essentially the “next of kin” to high-profile espionage clusters like FamousSparrow and Tropic Troopers, and they’ve brought a specialized toolkit to the table to ensure they can stay inside these networks for a long, long time. Although their tactics are same to Salt Typhoon but there is no evidence that they are linked together.
The hackers aren’t just looking for a quick payout; they’re playing the long game of digital surveillance. They’ve deployed a trio of previously unknown malware—TernDoor, PeerTime, and BruteEntry—each with a specific job. TernDoor is the anchor for Windows systems, using a clever trick called DLL side-loading to sneak past defenses and giving the hackers a direct remote control into the network.
PeerTime is the stealth specialist; it targets Linux and embedded devices like routers and uses the BitTorrent protocol to hide its communications, making it look like normal peer-to-peer traffic rather than a hacker talking to a command center. Finally, there’s BruteEntry, which acts like a scout. It turns compromised devices into “Operational Relay Boxes” that scan the rest of the internet for more victims, specifically trying to force its way into SSH and database servers.
What makes this campaign particularly chilling is its focus on “edge devices”—the hardware that sits on the perimeter of a network. These devices are often harder to monitor than a standard office laptop, allowing the hackers to maintain a “persistent presence” while they monitor sensitive data flowing through South American infrastructure. While there is no direct link to Salt Typhoon (the group recently blamed for massive U.S. telecom breaches), the tactics are nearly identical. Researchers even found “smoking gun” evidence in the form of debug strings written in Simplified Chinese within the malware, leaving little doubt about where these attacks originated.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
