TernDoor
TernDoor is a Windows backdoor used by the China-linked threat cluster UAT-9244, which Cisco Talos assessed overlaps with FamousSparrow and Tropic Trooper. It has been described as a new variant of the previously disclosed CrowDoor malware, with lineage tracing further back to SparrowDoor. Public reporting places its use in attacks against South American telecommunications providers since at least 2024, and in a separate multi-wave intrusion against an Azerbaijani oil and gas company in late January or early February 2026, where Bitdefender linked the broader operation to FamousSparrow with moderate-to-high confidence.
TernDoor is delivered via DLL sideloading. In telecom-targeting activity, the observed chain used the legitimate executable wsprint.exe to load a malicious BugSplatRc64.dll loader, which decrypted an encoded payload file WSPrint.dll and executed it in memory, after which the malware was injected into msiexec.exe. Reporting also describes a six-layer unpacking/decryption chain involving RC4, a SUB-XOR-ADD transform, LZNT1 decompression, header restoration, and reflective PE loading; one reported RC4 key was "qwiozpVngruhg123". In the Azerbaijani intrusion, attackers attempted to deploy TernDoor through a USOShared sideloading chain using a renamed deskband_injector64.exe binary and a malicious winmm.dll, with forensic artifacts indicating use of the Mofu loader; that attempt was reportedly blocked.
Documented capabilities include command-and-control communications, remote command execution, file read/write and manipulation, arbitrary process execution, system information gathering, and self-removal via a "-u" switch. TernDoor supports persistence through a scheduled task named WSPrint, a Registry Run key, and Windows service installation; some reporting states it modifies task-related registry keys to hide the scheduled task from standard views. It also contains or drops an AES-encrypted kernel driver, WSPrint.sys, activated as a service, which creates the device \Device\VMTool and can suspend, resume, or terminate processes. Additional reported behavior includes named-pipe communications using the format \.\pipe\fg64s5%d for lateral movement, antivirus enumeration, OS fingerprinting, VMware detection, token manipulation, proxy traversal using CONNECT and Proxy-Authentication/SSPI, and use of a custom TLS 1.3 implementation rather than Windows SChannel.
Reported configuration and infrastructure details include HTTP POST beacon paths /3256.php?pass=356324 and /347561.php?id=4636, hardcoded authentication tokens, storage of encrypted real C2 IPs in HKCU\Software\CLASSES\A while using 127.0.0.1:443 as a placeholder in the binary, and AES-128-CBC encryption for C2 payloads and the embedded driver derived from the password "bsy436^745vA fbw". Publicly reported indicators include live TernDoor C2 servers 154.205.154[.]82:443, 207.148.121[.]95:443, and 207.148.120[.]52:443, all presenting the same expired self-signed certificate with CN 8.8.8.8 and SHA256 fingerprint 0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8. Additional artifacts reported in connection with deployment or persistence include C:\ProgramData\WSPrint, WSPrint.exe, BugSplatRc64.dll, WSPrint.dll, WSPrint.sys, cache.dat, HKLM\SYSTEM\ControlSet001\Services\vmflt, and attempted installation of vmflt.sys in the Azerbaijani case.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
At some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor. | The process command line contained the MSExchangePowerShellAppPool argument, indicating that the attacker exploited the Exchange server via the ProxyNotShell exploit chain... ProxyNotShell (CVE-2022-41040, CVE-2022-41082) is a related exploit chain disclosed in 2022. Both allow unauthenticated attackers to execute code on unpatched Exchange servers.
At some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
At some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.
UAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor...
UAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor...
"The first backdoor, “TernDoor,” is a new variation of the previously disclosed, Windows-based, CrowDoor malware."
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesDespite remediation attempts, they repeatedly re-entered the network, deploying different backdoors in three distinct waves.
The chain of evidence includes Exchange exploitation (T1190 Exploit Public-Facing Application)... The process command line contained the MSExchangePowerShellAppPool argument, indicating that the attacker exploited the Exchange server via the ProxyNotShell exploit chain.
Execution
5 techniquesPersistence Arsenal TernDoor deploys four independent persistence mechanisms: Method Detail Scheduled Task schtasks /create /tn WSPrint /tr "C:\ProgramData\WSPrint\WSPrint.exe" /ru "SYSTEM" /sc onstart /F
MITRE ATT&CK Mapping ... Execution T1129 Shared Modules WSPrint.exe loads BugSplatRc64.dll
Persistence
5 techniquesPersistence Arsenal TernDoor deploys four independent persistence mechanisms: Method Detail Scheduled Task schtasks /create /tn WSPrint /tr "C:\ProgramData\WSPrint\WSPrint.exe" /ru "SYSTEM" /sc onstart /F
Despite remediation attempts, they repeatedly re-entered the network, deploying different backdoors in three distinct waves.
“TernDoor additionally drops a Windows driver named WSPrint.sys and activates it as a system service.”
Privilege Escalation
6 techniquesPersistence Arsenal TernDoor deploys four independent persistence mechanisms: Method Detail Scheduled Task schtasks /create /tn WSPrint /tr "C:\ProgramData\WSPrint\WSPrint.exe" /ru "SYSTEM" /sc onstart /F
"...launches the final payload in memory, injected into the Windows process msiexec.exe to blend in with routine system behavior."
"TernDoor... exploits a Windows driver for process resumption or termination"
“TernDoor additionally drops a Windows driver named WSPrint.sys and activates it as a system service.”
Stealth
9 techniquesTraces of this activity were found in the registry, specifically HKLM\SYSTEM\ControlSet001\Services\vmflt\Type with value 1, indicating a kernel driver service (T1014 Rootkit), and ... ImagePath ... \??\C:\ProgramData\USOShared\vmflt.sys.
MITRE ATT&CK Mapping ... Defense Evasion T1027.002 Software Packing Six-layer unpacking chain with reflective PE loading
The third wave brought back a modified Deed RAT using sentinelonepro[.]com as its command-and-control address, impersonating a well-known security vendor to avoid detection in network logs.
"...launches the final payload in memory, injected into the Windows process msiexec.exe to blend in with routine system behavior."
MITRE ATT&CK Mapping ... Defense Evasion T1070 Indicator Removal Scheduled task SD key deletion, Index=0
MITRE ATT&CK Mapping... T1140 Deobfuscate / Decode Files or Information RC4, AES-CBC, LZNT1, and Deflate decryption/decompression of Deed RAT components and plugins.
Domain ipinfo[.]io Legitimate service contacted by Wave 2 malware for network reconnaissance
In the second wave, the group deployed a backdoor called Terndoor by hijacking the legitimate deskband_injector64.exe binary.
"...decrypts and executes the final payload in memory." / "...execute it directly in memory."
Discovery
2 techniquesLateral Movement
1 techniqueMITRE ATT&CK Mapping ... Lateral Movement T1570 Lateral Tool Transfer Named pipe \\.\pipe\fg64s5%d with full C2 command set
Command and Control
5 techniques“PeerTime… backdoor that uses the BitTorrent protocol to conduct malicious operations…”
MITRE ATT&CK Mapping ... Command and Control T1071.001 Web Protocols HTTPS POST to .php endpoints with auth tokens
MITRE ATT&CK Mapping ... Command and Control T1095 Non-Application Layer Custom TLS 1.3, BitTorrent (PeerTime)
"targeted... with the newly discovered TernDoor and PeerTime backdoors... as well as the BruteEntry brute-force scanner"
MITRE ATT&CK Mapping ... Command and Control T1573.001 Symmetric Cryptography AES-128-CBC via CryptDeriveKey
Other
1 techniqueIOCs tracked for this family
40 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor deployed in the second wave by hijacking the legitimate deskband_injector64.exe binary. Forensic artifacts showed it attempted to install a kernel driver (vmflt.sys) for kernel-level persistence.
A backdoor deployed in a later wave of the intrusion to re-establish or maintain access within the victim environment.
A backdoor recently discovered in attacks against telecommunications infrastructure in South America since 2024. In this campaign, attackers attempted to deploy it via DLL side-loading using Mofu Loader.
A backdoor assessed to have been staged via the Mofu loader and a DLL sideloading chain involving USOShared.exe and winmm.dll. It attempted to drop and load a kernel driver (vmflt.sys), used encrypted strings and RC4 logic, and was linked through behavioral and code-level similarities to prior reporting.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.