Uncovering UAT-9244: Chinese State Hackers Weaponize Novel Malware Against South American Telcos

The telecommunications sector remains the primary bullseye for state-sponsored espionage, and a new threat actor is aggressively expanding its footprint. Recent intelligence indicates that a China-linked Advanced Persistent Threat (APT), tracked as UAT-9244, has been actively conducting operations against telecommunication service providers in South America since early 2024.

Unlike campaigns that focus exclusively on Windows environments, UAT-9244 has deployed a sophisticated, multi-platform malware arsenal designed to compromise Windows servers, Linux systems, and critical network-edge devices. This convergence of IT and OT exploitation signals a worrying evolution in tradecraft, allowing adversaries to pivot deep into network cores with alarming stealth.

The Anatomy of the Threat

UAT-9244 represents a strategic shift toward "cross-pillar" compromise. By targeting both traditional endpoints (Windows/Linux) and the network perimeter (routers, firewalls, edge appliances), the group aims to bypass standard security controls that often leave network devices unmonitored.

Attack Vectors and TTPs

The threat actor demonstrates a high degree of operational security, utilizing custom-developed loaders and modular malware.

• Initial Access: The group likely gains entry through exposed services on network-edge devices or through phishing campaigns targeting IT administrators. Once a foothold is established on the perimeter, they move laterally toward the internal telco network.
• Multi-Platform Payloads: The malware toolkit includes variants compiled for both Windows (PE files) and Linux (ELF files). This dual compatibility allows the attackers to maintain persistence across heterogeneous environments typical of large ISPs.
• Edge Device Manipulation: Perhaps the most concerning aspect is the focus on network-edge hardware. By compromising routers or access points, UAT-9244 can intercept traffic, hijack BGP sessions, or implant malicious firmware that survives standard re-imaging of servers.
• C2 and Exfiltration: The malware establishes encrypted Command and Control (C2) channels designed to blend in with legitimate administrative traffic. This "living off the land" approach makes detection via simple signature-based methods nearly impossible.

Detection and Threat Hunting

To defend against UAT-9244, security teams must move beyond endpoint protection and implement visibility into Linux and network layers. Below are specific queries and scripts to help identify indicators of compromise (IoCs) associated with this campaign.

KQL Query for Microsoft Sentinel

This query looks for suspicious process execution patterns on Linux agents, specifically targeting the use of curl or wget for C2 beacons, which are common in this actor's Linux malware.

DeviceProcessEvents
| where Timestamp > ago(30d)
| where DeviceOSType =~ "Linux"
| where ProcessCommandLine has_any ("curl", "wget", "python", "perl") and ProcessCommandLine has_any ("http", "https", "ftp")
| where InitiatingProcessFileName !in~ ("apt", "yum", "dnf", "ua-client")
| extend URL = extract(@'https?://[a-zA-Z0-9\.\-]+', 0, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, URL
| summarize count() by DeviceName, URL, FileName
| where count_ < 5 // Filter for unique/low-prevalence connections

PowerShell Script for Windows Persistence Check

This script hunts for unusual scheduled tasks or services that might be acting as persistence mechanisms for the Windows component of the toolkit.

# Get Scheduled Tasks that run with highest privileges and are not from Microsoft
Get-ScheduledTask | Where-Object {
    $_.Principal.RunLevel -eq 'Highest' -and 
    $_.Principal.UserId -eq 'SYSTEM' -and
    $_.Author -notlike '*Microsoft*'
} | Select-Object TaskName, TaskPath, Author, @{Name='Action';Expression={$_.Actions.Execute}}

# Check for unusual service binaries in non-standard paths
Get-WmiObject Win32_Service | Where-Object {
    $_.State -eq 'Running' -and 
    $_.PathName -notlike 'C:\Windows\*' -and
    $_.PathName -notlike '%SystemRoot%\*'
} | Select-Object Name, DisplayName, PathName, StartMode

Bash Script for Linux Integrity Verification

Network-edge Linux devices often have static file systems. This script helps identify recently modified binaries in system directories, a potential sign of infection.

#!/bin/bash

# Find files modified in the last 7 days in critical system directories
echo "Checking for recently modified binaries in /bin, /sbin, /usr/bin..."
find /bin /sbin /usr/bin /usr/sbin -type f -mtime -7 -ls

# Check for established connections to non-standard ports (common for custom C2)
echo "Checking established network connections..."
netstat -tnp 2>/dev/null | awk '{print $4, $5, $7}' | grep ESTABLISHED

# Look for suspicious cron jobs
echo "Parsing user crontabs..."
for user in $(cut -d: -f1 /etc/passwd); do
  crontab -u $user -l 2>/dev/null
done

Mitigation Strategies

Detecting UAT-9244 is only half the battle; robust mitigation requires hardening the attack surface across the entire infrastructure stack.

1. Segment the Control Plane: Ensure that management interfaces for network-edge devices (routers, switches) are not accessible from the general corporate network or the public internet without strict access control lists (ACLs) and VPN requirements.
2. Hardening Linux Endpoints: Many organizations deploy EDR on Windows but neglect Linux. Ensure your Linux infrastructure—especially jump servers and management nodes—is covered by an EDR solution capable of detecting ELF-based malware.
3. Disable Unused Services: Audit network-edge devices for unnecessary services (e.g., Telnet, HTTP management interfaces). Replace them with SSHv2 and HTTPS where necessary, and enforce Public Key Infrastructure (PKI) authentication.
4. Firmware Integrity Checks: Implement automated integrity checking for router and firewall firmware images. Attackers often modify firmware to maintain persistence that survives a simple OS reboot.

Conclusion

The emergence of UAT-9244 highlights the blurring lines between IT, OT, and network security. For telecommunications providers, the assumption of compromise must be the baseline. By extending monitoring capabilities to the edge and actively hunting for cross-platform anomalies, SOC teams can stay ahead of this sophisticated adversary.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub