UAT-9244 South America telecom targeting campaign
Campaign
Summary
Hide ▲
Show ▼
UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across telecom environments. The campaign uses three implants—TernDoor, PeerTime, and BruteEntry—along with DLL side-loading, in-memory execution, and BitTorrent-based C2 retrieval. One documented phase centers on TernDoor on Windows hosts, while BruteEntry is used on edge devices for mass-scanning proxy nodes and brute-force attempts against Postgres, SSH, and Tomcat.
Related Happenings
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Sqgame[.]net gaming platform hit by network compromise
Incident
H score10
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentAbout this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
H score28
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
ScarCruft sqgame[.]net supply-chain espionage campaign
Campaign
H score8
First: 05.05.2026 12:07
Last: 05.05.2026 12:07
Sources 1
About this happening:
**ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
ScarCruft sqgame[.]net supply-chain espionage campaign
CampaignAbout this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
Timeline
-
06.03.2026 10:22 2 articles · 4mo ago
UAT-9244 South America telecommunications targeting campaign
Initial DisclosureThe first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.
Show sources
- China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks — thehackernews.com — 06.03.2026 10:22
- China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks — thehackernews.com — 06.03.2026 10:22
-
06.03.2026 01:19 2 articles · 4mo ago
UAT-9244 telecom campaign analysis and IoCs
Technical Analysis UpdateA China-linked activity cluster tracked as UAT-9244 is analyzed as targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices with three previously undocumented malware families: TernDoor, PeerTime, and BruteEntry. The activity uses DLL side-loading, BitTorrent-based C2, brute-force scanning against SSH, Postgres, and Tomcat, and published IoCs support early detection and blocking.
Show sources
- Chinese state hackers target telcos with new malware toolkit — www.bleepingcomputer.com — 06.03.2026 01:19
- Chinese state hackers target telcos with new malware toolkit — www.bleepingcomputer.com — 06.03.2026 01:19