PeerTime
PeerTime is a Linux ELF backdoor used in a telecom-focused intrusion campaign attributed to the China-linked activity cluster UAT-9244, which Cisco Talos assessed overlaps with FamousSparrow and Tropic Trooper. It has targeted South American telecommunications providers since at least 2024 and is intended to run across multiple architectures commonly found in embedded and network infrastructure, including x86/AMD64, ARM, AArch64, MIPS, and PowerPC, enabling compromise of Linux servers, routers, embedded systems, and other edge infrastructure. PeerTime uses the BitTorrent protocol for peer-to-peer command and control, retrieving instructions and downloading additional payloads from peers rather than relying on a centralized C2 server, which helps blend malicious traffic with legitimate P2P activity and complicates detection and infrastructure attribution. Reported capabilities include downloading files from peers, executing them on the infected host, process renaming or masquerading as legitimate system programs, and persistence via crontab @reboot entries; deployment has been described as involving shell scripts and a loader/instrumentor that decrypts and decompresses the final payload in memory, and one report noted the instrumentor checks for Docker before execution. Two versions have been identified: an older C/C++ implementation and a newer Rust implementation. Infrastructure associated with PeerTime included the domains bloopencil[.]net, xtibh[.]com, and xcit76[.]com. Mandiant Backscatter tracks PeerTime as malware_config:angrypeer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
One of the Linux payloads, known as PeerTime, supports several architectures commonly found in embedded and network infrastructure: ARM AArch64 MIPS PowerPC x86
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One of the Linux payloads, known as PeerTime, supports several architectures commonly found in embedded and network infrastructure: ARM AArch64 MIPS PowerPC x86
"...“PeerTime,” an ELF-based backdoor that uses the BitTorrent protocol to conduct malicious operations..."
...targeted... with the newly discovered TernDoor and PeerTime backdoors for Windows and Linux, respectively... the ELF-based peer-to-peer PeerTime backdoor, which has C/C++ and Rust versions...
...targeted... with the newly discovered TernDoor and PeerTime backdoors for Windows and Linux, respectively... the ELF-based peer-to-peer PeerTime backdoor, which has C/C++ and Rust versions...
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"The exact initial access method used in the attacks is not known, although the adversary has previously targeted systems running outdated versions of Windows Server and Microsoft Exchange Server to drop web shells for follow-on activity."
Execution
3 techniquesPeerTime: BitTorrent as C2 ... Persistence Crontab injection: (crontab -l ; echo "@reboot %s") | crontab -
“The instrumentor ELF binary will check for the presence of docker… If docker is found, then the PeerTime loader is executed using: docker <path_of_PeerTime_loader_ELF>”
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniques"The malware also can disguise its processes as legitimate system programs"
"...rogue DLL ... decrypts and executes the final payload in memory." / "...decodes a configuration to extract the command-and-control (C2) parameters." / "...decrypt and decompress the final PeerTime payload and execute it directly in memory."
"...decrypts and executes the final payload in memory." / "...execute it directly in memory."
Discovery
3 techniquesOnce attackers gain foothold access, infected Linux systems can become relay nodes for persistence, scanning, brute-force activity, and covert communications.
One report noted that the malware checks whether Docker is installed before execution.
Command and Control
6 techniquesOne detail stands out immediately: the Linux malware reportedly uses peer-to-peer communication methods and BitTorrent-style traffic patterns instead of relying entirely on centralized command-and-control servers.
The malware also appears designed to turn compromised Linux systems into Operational Relay Boxes, or ORBs. Once foothold access is established, the infected host becomes part of the attacker’s infrastructure: relaying malicious traffic staging brute-force attempts scanning external targets masking the attacker's origin supporting lateral movement
MITRE ATT&CK Mapping ... Command and Control T1095 Non-Application Layer Custom TLS 1.3, BitTorrent (PeerTime)
“PeerTime is a Linux-based backdoor that leverages the BitTorrent protocol to communicate and execute tasks on infected systems...”
"targeted... with the newly discovered TernDoor and PeerTime backdoors... as well as the BruteEntry brute-force scanner"
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux malware used in the campaign that supports multiple architectures and uses peer-to-peer communication methods with BitTorrent-style traffic patterns. It is designed to turn compromised Linux systems into operational relay boxes (ORBs) for relaying malicious traffic, staging brute-force attempts, scanning external targets, masking attacker origin, and supporting lateral movement.
Linux ELF multi-architecture persistent backdoor that uses BitTorrent-based peer-to-peer command and control. It supports crontab persistence, process renaming for evasion, payload download from peers, and file execution via BusyBox.
An ELF/Linux backdoor that uses the BitTorrent protocol for malicious operations/communications.
Linux/ELF peer-to-peer backdoor with C/C++ and Rust implementations; supports multiple CPU architectures (MIPS, ARM, PPC, AARCH) to enable broad device compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.