UAT-9244 Targets South American Telecommunication Providers With Three New Malware Implants

    Friday, March 6, 2026 In: Threat Research Print

    Date: 03/06/2026

    Severity: High

    Summary

    Team has disclosed UAT-9244, assessed with high confidence as a China-nexus APT actor linked to Famous Sparrow. Since 2024, the group has targeted critical telecommunications infrastructure in South America. Its attacks impact Windows and Linux endpoints as well as network edge devices. The actor deploys three malware implants, including "TernDoor" , a variant of the Windows-based CrowDoor backdoor. Another tool, "PeerTime" is an ELF backdoor that abuses the BitTorrent protocol for malicious operations. The third implant, "BruteEntry" turns edge devices into mass-scanning proxy nodes to brute-force SSH, Postgres, and Tomcat servers.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    xtibh.com

    xcit76.com

    bloopencil.net

    IP Address : 

    154.205.154.82

    207.148.121.95

    207.148.120.52

    212.11.64.105

    149.28.25.33

    154.205.154.194

    154.205.154.65

    154.205.154.70

    154.223.21.130

    154.223.21.194

    158.247.238.240

    216.238.112.222

    216.238.123.242

    216.238.94.37

    38.54.125.134

    38.60.199.34

    45.32.106.94

    45.77.34.194

    45.77.41.141

    47.76.100.159

    64.190.113.170

    64.95.10.253

    185.196.10.247

    185.196.10.38

    212.11.64.105

    185.196.10.247

    Hash : 

    711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289

    3c098a687947938e36ab34b9f09a11ebd82d50089cbfe6e237d810faa729f8ff

    f36913607356a32ea106103387105c635fa923f8ed98ad0194b66ec79e379a02

    A5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3

    075b20a21ea6a0d2201a12a049f332ecc61348fc0ad3cfee038c6ad6aa44e744

    1f5635a512a923e98a90cdc1b2fb988a2da78706e07e419dae9e1a54dd4d682b

    2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538

    ebcb2691b7c92cdf2b2ff5e2d753abeea8cb325c16596cd839e6bd147f80e38a

    00735a8a50d2856c11150ef1e29c05acebce7ad3edad00e37c7f043aacb46330

    74fbc8360d4c95d64d7acaa4d18943dce2d41f91d080b0b5e435d8bce52861a5

    babc81fc9c998e9dc4ab545f0e112e34d2641e1333bc81aaa131abd061a5b604

    e34c9159e6e78c59518a14c5b96bddfee094b684f99d4f69b13371284a014e87

    2c3f2261b00ea45e25eb4e9de2b7ff8e41f311c0b3d986461f834022c08b3b99

    3fcced9332301ff70b20c98c9434c858400013d659afa6bb5149cffb0206357d

    a313f76fca50fff1bcd6f2c6cbc1268985f8c0a3a05fe7f43c4fc0ac3aff84dc

    03eac9eb7f4b4bc494ef0496ee23cabbf38f883896838ed813741d8f64ac9fde

    17652d7bb5fe0454023db4fc7f608df0dbe6af237be31258e16ba52f0e895e26

    74d1a678bdc4bb9f33321e94e3bd1bc1740472ed734231fc46af720072ecb77e

    c9fc2af30f769d856b88b3051f19fdb663b3e0a0916279df9bbcba93c6a110c9

    34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91

    1cedf01dd4b7e50181d0e781825c66957b862941395d77c8bd7705114f319c80

    bfc35f12d00fa4b40c5fbce9e37d704e12a52262709bcbdf09f97890bc40cad5

    f3e899789b56429f483e5096e1f473335024f1f763e2d428132338e30352b89e

    6ec070457d1f6f239cb02c5e1576a3660cca98f3a07eec6e4e107f698d7fe555

    15d937803f90c2b9e277ff94d3e98ff30015ecc7f4623a158e3c98861e5cb278

    7b70cd956f082b1029d02b4cb7608893f2de7fa9c500d7d7febdd0f745ac3cb6

    d78b3c6df8f3756a7e310cf7435fdba201dd03ec9f97420a0db683489a01a7c9

    3fcadde4b414a18b2fed56c1ec59d97977123615fbbf411a1c78425445a6e71c

    3d9fbfc2c056eac857ba54e5ed134aa45a4b8322ee9f9353ba32e5b2ca71b0e3

    c9a42423ef08bd7f183915780d39530eba5e4e25968c51965ff8bb3026965a28

    38eeaa4eaad72feb3f8e6993565fcc548d8e7bb93642590f00fa24aacc0e2862

    56bead2933e91366e4a0d5761daf5b238a7f2c22e597664ef67b3ecae20ab326

    6a2d23cc8746a83e9a3b974788fce0e414706b8e75ff390426dd7e10b19967b3

    9a7225c17e4bad3ffe7f080530d36f4f8aca5c116b913caa91ab9b0cee85638e

    870e791af14caaf395c56028176a9c3f4c1ff0318ef3112d57ecd3d4a1be2ef9

    1fcdd5a417db31e5e07d32cecfa69e53f0dce95b7130ad9c03b92249f001801d

    66ce42258062e902bd7f9e90ad5453a901cfc424f0ea497c4d14f063f3acd329

    d5eb979cb8a72706bfa591fa57d4ebf7d13cecdc9377b0192375e2f570f796df

    66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611

    66bdce93de3b02cf9cdadad18ca1504ac83e379a752d51f60deae6dcbafe4e31

    023467e236a95d5f0e62e26445d430d749c59312f66cf136e6e2c2d526c46ba1

    f8066833e47814793d8c58743622b051070dac09cb010c323970c81b59260f84

    06b23d84fd7afd525dfd7860ebd561dcdd72ccbeb51981d5d9a75acf068d0a2a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "bloopencil.net" or url like "bloopencil.net" or siteurl like "bloopencil.net" or domainname like "xtibh.com" or url like "xtibh.com" or siteurl like "xtibh.com" or domainname like "xcit76.com" or url like "xcit76.com" or siteurl like "xcit76.com"

    Detection Query 2 :

    dstipaddress IN ("185.196.10.247","38.60.199.34","216.238.123.242","64.190.113.170","45.77.34.194","38.54.125.134","185.196.10.38","154.223.21.194","45.32.106.94","212.11.64.105","154.205.154.70","158.247.238.240","149.28.25.33","154.205.154.194","154.205.154.65","154.223.21.130","216.238.112.222","216.238.94.37","45.77.41.141","47.76.100.159","64.95.10.253","154.205.154.82","207.148.121.95","207.148.120.52") or srcipaddress IN ("185.196.10.247","38.60.199.34","216.238.123.242","64.190.113.170","45.77.34.194","38.54.125.134","185.196.10.38","154.223.21.194","45.32.106.94","212.11.64.105","154.205.154.70","158.247.238.240","149.28.25.33","154.205.154.194","154.205.154.65","154.223.21.130","216.238.112.222","216.238.94.37","45.77.41.141","47.76.100.159","64.95.10.253","154.205.154.82","207.148.121.95","207.148.120.52")

    Detection Query 3 :

    sha256hash IN ("34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91","9a7225c17e4bad3ffe7f080530d36f4f8aca5c116b913caa91ab9b0cee85638e","66bdce93de3b02cf9cdadad18ca1504ac83e379a752d51f60deae6dcbafe4e31","56bead2933e91366e4a0d5761daf5b238a7f2c22e597664ef67b3ecae20ab326","711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289","bfc35f12d00fa4b40c5fbce9e37d704e12a52262709bcbdf09f97890bc40cad5","3c098a687947938e36ab34b9f09a11ebd82d50089cbfe6e237d810faa729f8ff","2c3f2261b00ea45e25eb4e9de2b7ff8e41f311c0b3d986461f834022c08b3b99","6a2d23cc8746a83e9a3b974788fce0e414706b8e75ff390426dd7e10b19967b3","d5eb979cb8a72706bfa591fa57d4ebf7d13cecdc9377b0192375e2f570f796df","A5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3","3fcced9332301ff70b20c98c9434c858400013d659afa6bb5149cffb0206357d","03eac9eb7f4b4bc494ef0496ee23cabbf38f883896838ed813741d8f64ac9fde","1fcdd5a417db31e5e07d32cecfa69e53f0dce95b7130ad9c03b92249f001801d","06b23d84fd7afd525dfd7860ebd561dcdd72ccbeb51981d5d9a75acf068d0a2a","2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538","66ce42258062e902bd7f9e90ad5453a901cfc424f0ea497c4d14f063f3acd329","00735a8a50d2856c11150ef1e29c05acebce7ad3edad00e37c7f043aacb46330","075b20a21ea6a0d2201a12a049f332ecc61348fc0ad3cfee038c6ad6aa44e744","74d1a678bdc4bb9f33321e94e3bd1bc1740472ed734231fc46af720072ecb77e","f36913607356a32ea106103387105c635fa923f8ed98ad0194b66ec79e379a02","f8066833e47814793d8c58743622b051070dac09cb010c323970c81b59260f84","17652d7bb5fe0454023db4fc7f608df0dbe6af237be31258e16ba52f0e895e26","e34c9159e6e78c59518a14c5b96bddfee094b684f99d4f69b13371284a014e87","870e791af14caaf395c56028176a9c3f4c1ff0318ef3112d57ecd3d4a1be2ef9","74fbc8360d4c95d64d7acaa4d18943dce2d41f91d080b0b5e435d8bce52861a5","babc81fc9c998e9dc4ab545f0e112e34d2641e1333bc81aaa131abd061a5b604","a313f76fca50fff1bcd6f2c6cbc1268985f8c0a3a05fe7f43c4fc0ac3aff84dc","ebcb2691b7c92cdf2b2ff5e2d753abeea8cb325c16596cd839e6bd147f80e38a","023467e236a95d5f0e62e26445d430d749c59312f66cf136e6e2c2d526c46ba1","38eeaa4eaad72feb3f8e6993565fcc548d8e7bb93642590f00fa24aacc0e2862","c9a42423ef08bd7f183915780d39530eba5e4e25968c51965ff8bb3026965a28","66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611","1f5635a512a923e98a90cdc1b2fb988a2da78706e07e419dae9e1a54dd4d682b","c9fc2af30f769d856b88b3051f19fdb663b3e0a0916279df9bbcba93c6a110c9","1cedf01dd4b7e50181d0e781825c66957b862941395d77c8bd7705114f319c80","f3e899789b56429f483e5096e1f473335024f1f763e2d428132338e30352b89e","6ec070457d1f6f239cb02c5e1576a3660cca98f3a07eec6e4e107f698d7fe555","15d937803f90c2b9e277ff94d3e98ff30015ecc7f4623a158e3c98861e5cb278","7b70cd956f082b1029d02b4cb7608893f2de7fa9c500d7d7febdd0f745ac3cb6","d78b3c6df8f3756a7e310cf7435fdba201dd03ec9f97420a0db683489a01a7c9","3fcadde4b414a18b2fed56c1ec59d97977123615fbbf411a1c78425445a6e71c","3d9fbfc2c056eac857ba54e5ed134aa45a4b8322ee9f9353ba32e5b2ca71b0e3")

    Reference:

    https://blog.talosintelligence.com/uat-9244/


    Tags

    MalwareThreat ActorChina-NexusAPTSouth AmericaCommunicationsBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.