China's UAT-9244 Hit South American Telecoms With Three Custom Tools. Here Are 208 IPs.

Everyone is writing about Salt Typhoon. Volt Typhoon. Silk Typhoon. The Typhoon family hits American infrastructure and gets Congressional testimony and front-page coverage.

UAT-9244 hit telecom providers across South America with three custom malware families, 208 confirmed C2 IPs, and the kind of operational patience that suggests long-term presence — not smash-and-grab. It got a Cisco Talos report and then mostly silence.

I want to fix that.

UAT-9244 deployed three purpose-built implants against South American telecommunications providers. None of these are commodity malware. They are custom-developed tools, which means a threat actor with significant resources dedicated specific engineering effort to this campaign.

TernDoor is the initial access implant — the tool that establishes the first foothold inside a telecom network. It's named for how it operates: a connection that looks like legitimate traffic from the outside, with a door open on the inside.

PeerTime handles lateral movement and persistence. The "peer" naming convention suggests it uses peer-to-peer or decentralized communication patterns to avoid centralized C2 detection — a technique we've seen UNC3886 use in the Singapore telecom campaign as well.

BruteEntry is the credential harvesting component. Telecoms hold authentication infrastructure for millions of subscribers. BruteEntry isn't there to steal one set of credentials. It's there to systematically harvest operator-level access.

208 IPs attributed to UAT-9244 in our OTX pulse feed. Five of the confirmed C2 nodes:

154.205.154.82 — UAT-9244 C2, indexed. 207.148.121.95 — UAT-9244 C2, indexed. 207.148.120.52 — UAT-9244 C2, indexed. 212.11.64.105 — UAT-9244 C2, indexed. 185.196.10.247 — UAT-9244 C2, indexed.

All 208 are in our STIX feed. The infrastructure is distributed across multiple ASNs — no single hosting provider concentration, which is consistent with a well-resourced state-aligned actor using bulletproof hosting diversity to complicate takedowns.

The Typhoon clusters get coverage because they target the US. UAT-9244 targets South America and gets treated as a regional problem.

That framing is wrong.

South American telecom infrastructure routes significant US-bound traffic. The same fiber paths that carry enterprise communications between US companies and their Latin American operations, the same submarine cable landing stations, the same IXPs that peer with North American networks — UAT-9244 is sitting inside systems that have line of sight to traffic that matters to US organizations.

This is the same logic that made Salt Typhoon's telecom intrusions alarming: not just the direct access, but the upstream position. UAT-9244 has that upstream position in a geography that doesn't get the same defensive scrutiny.

Two months ago, Mandiant documented UNC3886 — Operation CYBER GUARDIAN — hitting all four major Singapore telecom operators simultaneously. TinyShell. Reptile rootkit. GOBRAT. Zero-days. The same playbook: get into telecom, get persistence, use the telecom's own infrastructure as an ORB network for further operations.

UAT-9244 is running the same playbook in a different theater. TernDoor instead of TinyShell. PeerTime instead of Reptile. Different tools, same objective: persistent access inside telecom infrastructure that provides long-term intelligence collection and, if needed, disruption capability.

China is running a coherent global telecom access strategy. The theater names change. The objective doesn't.

I've watched UAT-9244 get one news cycle. The Typhoon clusters get sustained coverage because they target infrastructure that Western journalists and policymakers live on. South American telecom doesn't have the same constituency.

That asymmetry in coverage creates an asymmetry in defense. Organizations that don't see a threat in the headlines don't budget for it. South American telecom providers defending against UAT-9244 are doing it with less visibility, less vendor attention, and less government pressure on the attacker.

208 IPs. Three custom tools. Persistent access inside telecom infrastructure that touches traffic you care about.

The full IOC set is in our STIX feed at analytics.dugganusa.com. If you're a telecom provider in Brazil, Argentina, Chile, Colombia, or Peru and you want to cross-reference your infrastructure — the feed is free and the data is there.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com