Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A China-linked malware cluster has been using TernDoor, PeerTime, and BruteEntry to compromise telecommunication providers in South America and turn infected systems into access and scanning infrastructure. The toolkit combines Windows and Linux backdoors with BitTorrent C2, DLL side-loading, and brute-force access attempts against SSH, Postgres, and Tomcat. That matters because the operation can sustain persistence, expand footholds, and spread across network-edge devices.

Related Happenings

Deed RAT and TernDoor multi-wave deployment

Malware Activity
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...

Open Happening

MacOS LOTL detection and hardening guidance against native-tool abuse

Defensive Guidance
First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...

Open Happening

RondoDox botnet expands mining and DDoS capabilities

Malware Activity
First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...

Open Happening

Telnyx package WAV-hidden credential-stealing malware

Malware Activity
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...

Open Happening

UAT-9244 South America telecom targeting campaign

Campaign
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

How related: A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices.

About this happening: UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...

Latest development: 06.03.2026 10:22

The first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.

Open Happening

Timeline

  1. 06.03.2026 01:19 2 articles · 2mo ago

    UAT-9244 malware toolkit disclosure against South American telcos

    Initial Disclosure

    A China-linked UAT-9244 campaign targeted telecommunication service providers in South America since 2024 and compromised Windows, Linux, and network-edge devices. The activity used TernDoor, a Windows backdoor delivered through DLL side-loading with wsprint.exe and BugSplatRc64.dll, PeerTime, a Linux P2P backdoor that uses BitTorrent C2 and BusyBox, and BruteEntry, a Go-based brute-force scanner that creates ORBs and probes SSH, Postgres, and Tomcat.

    Show sources
    Open in new tab