UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware Activity
Summary
Hide ▲
Show ▼
A China-linked malware cluster has been using TernDoor, PeerTime, and BruteEntry to compromise telecommunication providers in South America and turn infected systems into access and scanning infrastructure. The toolkit combines Windows and Linux backdoors with BitTorrent C2, DLL side-loading, and brute-force access attempts against SSH, Postgres, and Tomcat. That matters because the operation can sustain persistence, expand footholds, and spread across network-edge devices.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware Activity
H score27
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware ActivityAbout this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
QuimaRAT cross-platform Java MaaS remote access trojan
Malware Activity
H score29
First: 06.07.2026 11:13
Last: 06.07.2026 11:13
Sources 1
About this happening:
A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
QuimaRAT cross-platform Java MaaS remote access trojan
Malware ActivityAbout this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
**GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
Timeline
-
06.03.2026 01:19 2 articles · 4mo ago
UAT-9244 malware toolkit disclosure against South American telcos
Initial DisclosureA China-linked UAT-9244 campaign targeted telecommunication service providers in South America since 2024 and compromised Windows, Linux, and network-edge devices. The activity used TernDoor, a Windows backdoor delivered through DLL side-loading with wsprint.exe and BugSplatRc64.dll, PeerTime, a Linux P2P backdoor that uses BitTorrent C2 and BusyBox, and BruteEntry, a Go-based brute-force scanner that creates ORBs and probes SSH, Postgres, and Tomcat.
Show sources
- Chinese state hackers target telcos with new malware toolkit — www.bleepingcomputer.com — 06.03.2026 01:19
- Chinese state hackers target telcos with new malware toolkit — www.bleepingcomputer.com — 06.03.2026 01:19