Skip to main content
Mallory
Back to threat actors
4 malware families

UAT-9244

Also known asuat_9244

UAT-9244 is a China-nexus advanced persistent threat actor disclosed by Cisco Talos and assessed with high confidence to be closely associated with FamousSparrow, with reported overlap with Tropic Trooper. Since 2024, the cluster has targeted critical telecommunications infrastructure and telecommunications providers in South America, operating across Windows systems, Linux systems, and network edge devices. Reporting attributes the campaign to three malware families: TernDoor, PeerTime, and BruteEntry. TernDoor is a Windows backdoor described as a CrowDoor/SparrowDoor-lineage implant delivered via DLL sideloading, including use of wsprint.exe and a malicious BugSplatRc64.dll loader to decrypt and execute the payload in memory, with observed injection into msiexec.exe. Reported TernDoor capabilities include remote command execution, file read/write, system information collection, persistence via a scheduled task and Registry Run key, and use of an embedded Windows driver to suspend, resume, or terminate processes. PeerTime is a Linux ELF backdoor, with C/C++ and Rust variants, compiled for multiple architectures including ARM, AArch64, MIPS, and PowerPC, and uses BitTorrent-based peer-to-peer communications to retrieve tasking and payloads. Associated tooling reportedly contains Simplified Chinese debug strings. BruteEntry is a Go-based brute-force scanner used to turn compromised edge devices into Operational Relay Boxes (ORBs) for scanning and brute-forcing SSH, PostgreSQL, and Apache Tomcat services and returning valid credentials to attacker infrastructure. The reporting states UAT-9244 is focused on maintaining persistent access to telecom environments and communications infrastructure. Cisco Talos explicitly stated it could not establish a solid connection between UAT-9244 and Salt Typhoon.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics70 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
T1584.004
Server
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1190×3
Exploit Public-Facing Application
TA0002
Execution
6 techniques
T1053×2
Scheduled Task/Job
T1053.003
Cron
T1053.005×5
Scheduled Task
T1059×3
Command and Scripting Interpreter
T1129
Shared Modules
T1569
System Services
T1569.002
Service Execution
T1574
Hijack Execution Flow
T1574.001
DLL
T1609
Container Administration Command
TA0003
Persistence
6 techniques
T1053×2
Scheduled Task/Job
T1053.003
Cron
T1053.005×5
Scheduled Task
T1078
Valid Accounts
T1133
External Remote Services
T1505
Server Software Component
T1505.003×2
Web Shell
T1543
Create or Modify System Process
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001×7
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
6 techniques
T1053×2
Scheduled Task/Job
T1053.003
Cron
T1053.005×5
Scheduled Task
T1055×5
Process Injection
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001×7
Registry Run Keys / Startup Folder
TA0005
Stealth
10 techniques
T1014×2
Rootkit
T1027
Obfuscated Files or Information
T1027.002
Software Packing
T1036×4
Masquerading
T1055×5
Process Injection
T1070
Indicator Removal
T1078
Valid Accounts
T1140×4
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
T1574
Hijack Execution Flow
T1574.001
DLL
T1620×2
Reflective Code Loading
TA0006
Credential Access
1 technique
T1110×9
Brute Force
T1110.001
Password Guessing
TA0007
Discovery
4 techniques
T1046
Network Service Discovery
T1082×4
System Information Discovery
T1083
File and Directory Discovery
T1613
Container and Resource Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.004
SSH
T1570
Lateral Tool Transfer
TA0011
Command and Control
6 techniques
T1071×2
Application Layer Protocol
T1071.001
Web Protocols
T1090×3
Proxy
T1090.002
External Proxy
T1090.003×3
Multi-hop Proxy
T1095×2
Non-Application Layer Protocol
T1102
Web Service
T1102.003
One-Way Communication
T1105×3
Ingress Tool Transfer
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
PeerTimeOne of the Linux payloads, known as PeerTime, supports several architectures commonly found in embedded and network infrastructure: ARM AArch64 MIPS PowerPC x8610May 24, 2026
BruteEntryBruteEntry is a Go-based brute force scanner that compromises internet-facing services and converts them into Operational Relay Boxes (ORBs) -- proxy nodes that obscure the true origin of UAT-9244's operations.9Apr 25, 2026
TernDoorUAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor...9Apr 25, 2026
CrowDoorA variant of Crowdoor (itself a variant of SparrowDoor), the backdoor is said to have been put to use by UAT-9244 since at least November 2024.2Mar 6, 2026
IOCS

Observables

55 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

55 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
linuxsecurityNews
May 22, 2026
Linux Infrastructure Attacks by FamousSparrow Exploit SSH Weaknesses

China-linked activity cluster targeting telecom and Linux infrastructure, using multi-platform malware including PeerTime to establish persistence and convert compromised systems into operational relay boxes for scanning, brute-force activity, covert communications, and lateral movement.

Read more
bitdefender blogNews
May 13, 2026
FamousSparrow APT Targets Azerbaijani Oil and Gas Industry

Activity cluster reported by Cisco Talos and linked with high confidence to FamousSparrow; associated in the content with Terndoor deployment patterns including driver-backed behavior.

Read more
security affairsNews
Mar 8, 2026
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 87

Activity cluster reported targeting South American telecommunications providers using three new malware implants.

Read more
security affairsNews
Mar 8, 2026
Security Affairs newsletter Round 566 by Pierluigi Paganini - INTERNATIONAL EDITION

Targeting South American telecommunications providers using three newly reported malware implants.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping43

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables55

Domains, IPs, and hashes tied to this actor, refreshed continuously.