Cybersecurity Threat Advisory: Telecoms targeted with new malware

• TernDoor is a Windows backdoor that attackers deliver via DLL side‑loading. The malware abuses the legitimate wsprint.exe process to load a malicious BugSplatRc64.dll, which decrypts and injects the final payload into msiexec.exe in memory. TernDoor includes an embedded Windows driver (WSPrint.sys) that allows attackers to terminate, suspend, and resume processes. The malware maintains persistence through scheduled tasks and Registry modifications that also conceal the task, and it supports remote shell access, arbitrary process execution, file read/write operations, system reconnaissance, and self‑uninstallation.
• PeerTime is an ELF‑based Linux backdoor compiled for multiple architectures, including ARM, AARCH, PPC, and MIPS, enabling attackers to compromise a wide range of embedded systems and telecommunications network devices. Cisco Talos identified two variants—one written in C/C++ and one in Rust—with Simplified Chinese debug strings present in the instrumentor binary. PeerTime decrypts and executes its payload entirely in memory, renames the process to appear benign, and operates as a peer‑to‑peer backdoor that uses the BitTorrent protocol for command and control, retrieves payloads from peers, and relies on BusyBox to write files to disk.
• BruteEntry consists of a Go‑based instrumentor and a brute‑force component that converts infected systems into scanning nodes, known as Operational Relay Boxes (ORBs). These ORBs scan for new targets and attempt to brute‑force SSH, PostgreSQL, and Tomcat services, then report authentication results, status, and notes back to the command‑and‑control server.

This campaign is noteworthy because it demonstrates a sustained, multi‑year operation by a China‑linked advanced persistent threat targeting critical telecommunications infrastructure. By compromising Windows, Linux, and network‑edge devices simultaneously, the attackers show the ability to operate across heterogeneous environments, increasing persistence, blast radius, and the difficulty of detection for affected organizations.

The primary risk is a deep, long‑term compromise of core telecommunications infrastructure, giving the China‑linked APT UAT‑9244 high‑privilege access to Windows, Linux, and network‑edge devices that route and manage customer traffic. This level of access threatens the confidentiality and integrity of communications, potentially allowing attackers to monitor, reroute, or tamper with voice, data, signaling traffic, and sensitive subscriber and corporate information. By converting compromised systems into scanning and brute‑force nodes, the attackers can also launch follow‑on attacks against downstream customers and partners. Additionally, the use of DLL side‑loading and BitTorrent‑based peer‑to‑peer command‑and‑control complicates detection and remediation, increasing the likelihood of prolonged, stealthy espionage and potential service disruption.