Introduction
UAT-9244 is a China-nexus APT actor, disclosed by Cisco Talos on March 5, 2026, assessed with high confidence as closely associated with Famous Sparrow and overlapping with Tropic Trooper. Active since 2024, it exclusively targets South American telecommunication providers, deploying three novel cross-platform malware families: TernDoor (Windows backdoor with DLL side-loading and evasion driver), PeerTime (Linux/embedded backdoor using BitTorrent for resilient C2), and BruteEntry (GoLang scanner turning edge devices into Operational Relay Boxes for SSH/Postgres/Tomcat brute-force). The campaign enables persistent access, remote command execution, lateral movement, and infrastructure relay via unified C2 with shared SSL certificates and domains like bloopencil.net.
Activities and Tactics
Country of Origin: 🇨🇳 China
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- China Chopper
- RemoteCMD
- Remote Utilities
- Windows Remote Desktop
- RemotePC
- CrossRat
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
References pending cataloguing.