Could the UAT-9244 attacks have been prevented?

Implementing robust endpoint detection, regular system updates, and comprehensive network monitoring could have mitigated the risk posed by UAT-9244's sophisticated malware.

UAT-9244's New Malware Threatens South American Telecoms

Discover how the Chinese APT UAT-9244 is compromising South American telecommunications with advanced malware.

Published: March 5, 2026

Share this on:

Executive Summary

Since 2024, the China-linked advanced persistent threat actor UAT-9244 has been targeting telecommunication service providers in South America, compromising Windows, Linux, and network-edge devices. The group employs three previously undocumented malware families: TernDoor, a Windows backdoor; PeerTime, a Linux backdoor utilizing the BitTorrent protocol; and BruteEntry, a brute-force scanner that establishes proxy infrastructure. These tools enable UAT-9244 to maintain persistent access, execute remote commands, and expand their network infiltration.

This incident underscores the evolving sophistication of state-sponsored cyber threats targeting critical infrastructure. The use of novel malware and advanced techniques highlights the need for enhanced cybersecurity measures and vigilance within the telecommunications sector.

Why This Matters Now

The emergence of UAT-9244's advanced malware toolkit targeting South American telecoms highlights the escalating cyber threats to critical infrastructure. Organizations must prioritize robust security measures to defend against such sophisticated state-sponsored attacks.

Attack Path Analysis

UAT-9244 initiated the attack by exploiting vulnerabilities in Windows, Linux, and network-edge devices to gain initial access. They escalated privileges by deploying TernDoor and PeerTime malware, enabling deeper system control. The attackers moved laterally across the network using BruteEntry to scan and compromise additional systems. Command and control were established through PeerTime's BitTorrent-based communications, allowing remote execution of commands. Data exfiltration was conducted by transferring sensitive information through encrypted channels. The impact included persistent access, data theft, and potential disruption of telecommunications services.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

Medium

Impact

Medium

Initial Compromise

Description

UAT-9244 exploited vulnerabilities in Windows, Linux, and network-edge devices to gain unauthorized access.

Confidence:

High

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059.004

Command and Scripting Interpreter: Unix Shell

Persistence

T1543.003

Create or Modify System Process: Unix Service

Command and Control

T1573

Encrypted Channel

Command and Control

T1071

Application Layer Protocol

Credential Access

T1110.001

Brute Force: Password Guessing

Lateral Movement

T1021.004

Remote Services: SSH

Collection

T1005

Data from Local System

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST Cybersecurity Framework (CSF) 2.0 – Identity Management and Access Control

Control ID: PR.AC-1

The attackers exploited weak access controls, indicating a failure in implementing robust identity management and access control measures.

NIS2 Directive – Security of Network and Information Systems

Control ID: Article 21

The incident highlights deficiencies in ensuring the security of network and information systems, as required by the NIS2 Directive.

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Governance

Control ID: Identity Pillar

The breach underscores the need for stringent identity governance to prevent unauthorized access, aligning with Zero Trust principles.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Article 5

The attack reveals gaps in the ICT risk management framework, essential for operational resilience as mandated by DORA.

ISO/IEC 27001:2022 – Event Logging

Control ID: A.12.4.1

The incident suggests inadequate event logging, which is crucial for detecting and responding to security incidents.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Primary target of UAT-9244 APT campaign using TernDoor, PeerTime, and BruteEntry malware compromising Windows, Linux, and network-edge devices across telecom infrastructure.

Government Administration

High risk from Chinese state-sponsored attacks targeting critical infrastructure, requiring enhanced encrypted traffic monitoring and zero trust segmentation for sensitive communications.

Computer/Network Security

Direct impact from advanced malware toolkit requiring updated threat detection capabilities, egress security controls, and anomaly response systems for client protection.

Internet

Vulnerable to lateral movement and command control activities through compromised telecom infrastructure, necessitating multicloud visibility and east-west traffic security controls.

Sources

Chinese state hackers target telcos with new malware toolkithttps://www.bleepingcomputer.com/news/security/chinese-state-hackers-target-telcos-with-new-malware-toolkit/
Verified

UAT-9244 targets South American telecommunication providers with three new malware implantshttps://blog.talosintelligence.com/uat-9244/

Verified

Frequently Asked Questions

The attacks revealed vulnerabilities in network-edge device security and insufficient monitoring of unusual network traffic, indicating gaps in compliance with standards like NIST SP 800-53 and ISO/IEC 27001.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall blast radius.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit vulnerabilities in Windows, Linux, and network-edge devices would likely be constrained, limiting their initial access points.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and gain deeper control over compromised systems would likely be constrained, reducing their operational scope.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally across the network would likely be constrained, limiting their reach to additional systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing their capacity for remote command execution.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data through encrypted channels would likely be constrained, limiting data loss.

Impact (Mitigations)

The attacker's ability to maintain persistent access, steal data, and disrupt services would likely be constrained, reducing the overall impact on telecommunications services.

Impact at a Glance

Affected Business Functions

Network Operations
Customer Service
Billing Systems
Data Management

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $5,000,000

Data Exposure

Potential exposure of customer call records, billing information, and internal network configurations.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
• Deploy East-West Traffic Security controls to monitor and secure internal network communications.
• Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
• Establish Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

UAT-9244's New Malware Threatens South American Telecoms

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Command and Scripting Interpreter: Unix Shell

Create or Modify System Process: Unix Service

Encrypted Channel

Application Layer Protocol

Brute Force: Password Guessing

Remote Services: SSH

Data from Local System

Potential Compliance Exposure

NIST Cybersecurity Framework (CSF) 2.0 – Identity Management and Access Control

NIS2 Directive – Security of Network and Information Systems

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Governance

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

ISO/IEC 27001:2022 – Event Logging

Sector Implications

Telecommunications

Government Administration

Computer/Network Security

Internet

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads