China-Linked Hackers Use TernDoor, PeerTime, BruteEntry

What Happened

A China-linked advanced persistent threat actor, tracked as UAT-9244, has been conducting a sustained campaign against telecommunications service providers in South America since early 2024. The attackers are deploying a custom malware toolkit designed to compromise a wide range of systems, including Windows and Linux servers as well as network-edge devices. The toolkit consists of several components, notably the TernDoor backdoor, the PeerTime credential stealer, and the BruteEntry tool for brute-force attacks. This campaign represents a direct assault on critical communications infrastructure in the region.

Why It Matters

This campaign targets the foundational infrastructure of telecommunications, a sector vital to national security and economic stability. Compromise of these networks can facilitate espionage, data theft, and potentially serve as a foothold for future disruptive operations. The actor’s focus on both common servers and harder-to-secure edge devices demonstrates a sophisticated understanding of network architecture and a deliberate effort to establish deep, persistent access. Concurrently, the separate but relevant disclosure of the widespread ClickFix campaign, which abuses the Windows Terminal to deploy Lumma Stealer, underscores a broader threat landscape where attackers are innovating to bypass common security controls.

Technical Details

The UAT-9244 toolkit is multi-faceted. TernDoor is a backdoor providing initial access and command-and-control (C2). PeerTime is designed to harvest credentials from compromised systems. BruteEntry facilitates brute-force attacks to expand access within the network. The actor’s ability to target both Windows and Linux systems, alongside edge devices from vendors like Cisco, indicates a versatile and well-resourced operation. In a parallel but distinct threat, the ClickFix campaign uses social engineering to trick users into executing a malicious file that launches Windows Terminal with a hidden argument, initiating a chain that ultimately deploys Lumma information-stealing malware.

Immediate Risk

The risk to South American telecommunications providers is HIGH. The campaign is active, the target is critical infrastructure, and the malware suite is designed for persistence and lateral movement. Organizations in this sector, particularly those with legacy or poorly segmented network-edge devices, are at immediate risk of compromise. Furthermore, the ClickFix campaign poses a widespread risk to general Windows environments, demonstrating that even trusted system tools like Windows Terminal can be weaponized in novel attack chains.

Security Insight

This activity reinforces the necessity of defense-in-depth, especially for critical infrastructure. Defenders must assume credential theft will occur and segment networks accordingly, limiting lateral movement from edge devices. The abuse of Windows Terminal in ClickFix highlights that application allow-listing must be carefully scoped. For mitigating risks like those from UAT-9244, organizations should rigorously audit and harden network-edge devices, enforce strict multi-factor authentication (MFA) with phishing-resistant methods where possible, and deploy robust endpoint detection across all system types, including Linux. Monitoring for anomalous outbound connections from these devices is crucial.