CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

China-Linked UAT-9244 Targets Telecoms with New Malware and ORB Nodes

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

China-nexus threat actor UAT-9244 has been targeting telecommunications providers in South America since at least 2024. The group conducts extensive reconnaissance before deploying malware families like TernDoor, PeerTime, and BruteEntry. UAT-9244 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with FamousSparrow and Tropic Trooper, suggesting a broader China-linked operation. UAT-9244 has been active since at least November 2024, deploying TernDoor through DLL side-loading, PeerTime using BitTorrent for C2 communications, and BruteEntry to build proxy infrastructure (ORBs).

Timeline

  1. 06.03.2026 01:19 2 articles · 1d ago

    UAT-9244 Targets Telecoms in South America with New Malware

    Since 2024, UAT-9244 has been targeting telecommunication service providers in South America. The group uses malware families like TernDoor, PeerTime, and BruteEntry. TernDoor is a Windows backdoor deployed through DLL side-loading, PeerTime is a Linux backdoor that uses BitTorrent for C2 communications, and BruteEntry is a brute-force scanner that builds proxy infrastructure (ORBs). The group is closely associated with FamousSparrow and Tropic Trooper hacker groups. UAT-9244 has been active since at least November 2024, deploying TernDoor through DLL side-loading, PeerTime using BitTorrent for C2 communications, and BruteEntry to build proxy infrastructure (ORBs).

    Show sources
    Open in new tab
  2. 08.01.2026 16:54 3 articles · 1mo ago

    UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

    Since 2022, UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. They also establish ORB nodes used by other China-nexus actors, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking and Malware Delivery

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework called DKnife, active since at least 2019. The framework targets routers and edge devices to perform deep packet inspection, manipulate traffic, and deliver malware. It primarily targets Chinese-speaking users by harvesting credentials and delivering malware via popular Chinese services and applications. DKnife comprises seven Linux-based implants that enable a wide range of malicious activities, including DNS hijacking, binary download hijacking, and real-time user activity monitoring. The framework is linked to the Earth Minotaur threat activity cluster and shares infrastructural connections with WizardNet, a Windows implant deployed by TheWizards APT group. DKnife's infrastructure overlaps with a campaign delivering WizardNet, suggesting a shared development or operational lineage. The framework uses a component called yitiji.bin to create a bridged TAP interface on the router at the private IP address 10.3.3.3, allowing the threat actor to intercept and rewrite network packets in transit to the intended host. Additionally, DKnife monitors WeChat activities more analytically, tracking voice and video calls, text messages, images sent and received, and articles read on the platform.

Open in new tab

VoidLink Malware Framework Targets Cloud and Container Environments

VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware. A previously unknown threat actor tracked as UAT-9921 has been observed leveraging VoidLink in campaigns targeting the technology and financial services sectors. UAT-9921 has been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. The threat actor uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network. VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan. VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. The framework supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics. VoidLink comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly. VoidLink has an auditability feature and a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. There are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.

Open in new tab

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced with a third wave, adding 24 new packages to OpenVSX and Microsoft Visual Studio Marketplace. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of Glassworm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords.

Open in new tab

Phantom Taurus Targets Government and Telecommunications Organizations

Government and telecommunications organizations in Africa, the Middle East, and Asia have been targeted by a China-aligned nation-state actor known as Phantom Taurus over the past two-and-a-half years. The group focuses on espionage, targeting ministries of foreign affairs, embassies, geopolitical events, and military operations. Phantom Taurus employs custom-developed tools and techniques, including a bespoke malware suite named NET-STAR, to maintain long-term intelligence collection and obtain confidential data from targets of strategic interest to China. The group's activities coincide with major global events and regional security affairs, demonstrating stealth, persistence, and adaptability in their tactics, techniques, and procedures (TTPs). Phantom Taurus has been observed using a .NET malware suite named NET-STAR to breach IIS web servers, which operates almost entirely in memory and includes a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The suite includes a backdoor named IIServerCore that accepts commands and encoded .NET payloads, enabling arbitrary code execution on compromised systems. The suite also includes two AssemblyExecuter loaders (v1 and v2) that allow dynamic loading of additional .NET malware, with v2 featuring advanced evasion techniques such as AMSI and ETW bypass. The group uses custom SQL queries to search for specific tables and keywords on compromised systems, exporting all matching results. Additionally, Phantom Taurus's operational methods are supported by other custom malware, including TunnelSpecter and SweetSpecter, which are used for email exfiltration.

Open in new tab