In the midst of intensifying geopolitical competition in cyberspace, a previously undetected cyberattack linked to China is quietly unfolding across South America’s telecommunications industry since 2024.
Cisco Talos researchers have reported that the operation represents a methodical and deeply embedded effort to secure long-term access to core communications infrastructure — an objective which goes well beyond opportunistic intrusions.
The group is responsible for the UAT-9244 malware, a suite of tools engineered not only for initial compromise but also for durability, stealth, and sustained intelligence collection.
A number of analysts have noted that this campaign’s tactics, techniques, and operational overlaps have a strong resemblance to those of Chinese advanced persistent threat actors like Famous Sparrow and Tropic Trooper, suggesting a shared tooling framework, coordination of activities, or a broader strategic alignment.
A number of analysts have noted that this campaign’s tactics, techniques, and operational overlaps have a strong resemblance to those of Chinese advanced persistent threat actors like Famous Sparrow and Tropic Trooper, suggesting a shared tooling framework, coordination of activities, or a broader strategic alignment.
As a result of this campaign’s apparent emphasis on maintaining uninterrupted footholds within telecom environments, which underpin national connectivity, sensitive data flows, and, by extension, elements of sovereign control, are apparent to have been paramount. In embedding themselves within these networks, operators position their capabilities at a crucial vantage point where surveillance, data interception, and disruption can all converge.
According to the findings, telecommunications companies are no longer peripheral targets, but rather are central elements in state-aligned intelligence gathering. This reflects a dramatic shift in modern cyber warfare towards infrastructure-level persistence.
On the basis of these observations, Cisco Talos researchers believe the activity cluster has a strong operational affinity with Famous Sparrow and Tropic Trooper, while remaining sufficiently distinct to qualify for its own classification.
The attribution does not rely on any particular indicator, but instead on a convergence of technical evidence, including shared tooling characteristics, overlapping tactics, techniques, and procedures, as well as a unified victimology focused on telecommunications infrastructure.
A comparison between the targeting profile and campaigns attributed to Salt Typhoon cannot be established without establishing a definitive link, suggesting either parallel operational tracks or compartmentalized tasking within the context of a broad state-aligned actor ecosystem.
In addition to the three previously undocumented malware families in the intrusion set, a variety of newly developed malware families have been specifically developed to provide resilience in heterogeneous telecom environments.
There are several backdoors that are designed for covert persistence and flexible post-exploitation control, including TernDoor.
he malware deploys itself using DLL side-loading, by abusing the legitimate wsprint.exe executable to load the malicious library BugSplatRc64.dll, which, in turn, decrypts and executes the payload directly in memory by injecting it into msiexec.exe, thereby minimizing its forensic impact.
It also includes a kernel-level component, WSPrint.sys, which enables granular manipulation of system processes, such as terminating, suspending, or resuming them, improving evasion as well as operational stability.
A layering of persi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: