BruteEntry
BruteEntry is a Go-based brute-force scanner used by the China-nexus threat cluster UAT-9244 in operations targeting telecommunications providers in South America since at least 2024. It is typically installed on compromised network edge devices and converts them into Operational Relay Boxes (ORBs) or mass-scanning proxy nodes that obscure the origin of the actor’s activity. BruteEntry is used to scan exposed services and conduct credential brute-force attacks against SSH, PostgreSQL, and Apache Tomcat servers using built-in username and password lists, then report successful credentials back to attacker infrastructure. Reported command-and-control behavior includes registration and tasking over an HTTP/JSON REST API with endpoints such as /register, /heartbeat, /tasks/<agent_id>, and /results. Cisco Talos and related reporting associate BruteEntry with UAT-9244 and assess overlap between that cluster and FamousSparrow and Tropic Trooper. A reported BruteEntry C2 server was 212.11.64[.]105:8085, which was also shared with TernDoor-related infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BruteEntry is a Go-based brute force scanner that compromises internet-facing services and converts them into Operational Relay Boxes (ORBs) -- proxy nodes that obscure the true origin of UAT-9244's operations.
"...a brute force scanner, which Talos tracks as “BruteEntry.” ... converting them into mass-scanning proxy nodes ... that attempt to brute force into SSH, Postgres, and Tomcat servers."
The third component, BruteEntry, is used to convert compromised edge devices into scanning infrastructure... capable of conducting credential brute-force attacks against exposed services.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique"...convert compromised edge devices into scanning infrastructure... receives lists of IP addresses to probe."
Resource Development
1 techniqueMITRE ATT&CK Mapping ... Resource Development T1584.004 Server ORB infrastructure from brute-forced hosts
Initial Access
1 technique"The exact initial access method used in the attacks is not known, although the adversary has previously targeted systems running outdated versions of Windows Server and Microsoft Exchange Server to drop web shells for follow-on activity."
Credential Access
2 techniques“...attempt to brute force into SSH, Postgres, and Tomcat servers.”
MITRE ATT&CK Mapping ... Credential Access T1110.001 Password Guessing SSH/PostgreSQL/Tomcat brute force (BruteEntry)
Lateral Movement
1 technique“BruteEntry… attempt to brute force into SSH, Postgres, and Tomcat servers… The agent will then use a set of embedded credentials to attempt to brute force into… ‘ssh’.”
Command and Control
5 techniques“PeerTime… backdoor that uses the BitTorrent protocol to conduct malicious operations…”
“...converting them into mass-scanning proxy nodes, also known as Operational Relay Boxes (ORBs)…”
“BruteEntry is typically installed on network edge devices, essentially converting them into mass-scanning proxy nodes, also known as Operational Relay Boxes (ORBs)…”
MITRE ATT&CK Mapping ... Command and Control T1090.003 Multi-hop Proxy ORB network via BruteEntry compromised hosts
"targeted... with the newly discovered TernDoor and PeerTime backdoors... as well as the BruteEntry brute-force scanner"
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Go-based Linux ELF brute-force tool with an HTTP/JSON REST API C2. It targets SSH, PostgreSQL, and Apache Tomcat using hardcoded credential lists and turns compromised hosts into Operational Relay Boxes for proxying attacker activity.
A brute-force scanning tool typically installed on edge devices to mass-scan and brute-force services (SSH/Postgres/Tomcat), turning devices into ORB-like relay/proxy nodes.
Brute-force scanning tool used to turn compromised devices into relay infrastructure and to conduct brute-force attacks against SSH, Tomcat, and PostgreSQL services.
Edge-device implant that converts compromised network edge devices into ORB relay nodes used to conduct brute-force activity (notably against SSH, PostgreSQL, and Apache Tomcat) to expand attacker foothold and infrastructure reach.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.