Security researchers have uncovered a complex cyber operation targeting telecommunications infrastructure with newly identified malware tools. The campaign, active since 2024, focuses on telecom providers and critical network systems that support internet connectivity and digital communication services.
Investigators found that the attackers used multiple malware families working together to gain access to systems, maintain hidden control, and convert compromised devices into tools for further cyber intrusions. The operation targeted Windows systems, Linux servers, and network edge devices that play a key role in handling large volumes of data traffic within telecom environments.
Hidden Backdoor Malware Expands Network Access
One of the main components of the campaign is a newly discovered backdoor known as TernDoor. This malicious software appears to be related to an earlier strain called CrowDoor and is designed to secretly give attackers remote access to infected systems.
To deploy the malware, attackers used a technique known as DLL side-loading. In this approach, a legitimate application loads a malicious library file without detecting that it has been altered. In the observed attacks, a trusted executable file called wsprint.exe was used to load a malicious DLL named BugSplatRc64.dll.
Cyberattacks disrupt Danish services as pro-Russian hackers pressure government over Ukraine
Once executed, the malicious file decrypts another hidden payload and launches it directly in the system’s memory. Running malicious software in memory reduces the chances of detection because fewer traces are left on the device’s storage.
After activation, the backdoor can collect system information, execute commands, create processes, and read or modify files. It also connects to a remote command server where attackers can send instructions and control the infected machine.
Researchers also identified an encrypted Windows driver linked to the malware called WSPrint.sys. This driver can suspend, resume, or terminate running processes on the system. Such capabilities may allow the attackers to interfere with monitoring tools or security software.
To ensure that the malicious software continues operating after a system restart, persistence mechanisms were used. These include scheduled tasks and registry entries that automatically relaunch the malware when the device starts or when a user logs in.
Peer-to-Peer Backdoor Targets Linux and Embedded Devices
Alongside TernDoor, researchers discovered another backdoor called PeerTime. This tool is designed to operate primarily on Linux systems and embedded devices commonly used within telecom infrastructure.
PeerTime differs from many traditional malware tools because it uses the BitTorrent protocol for communication. Instead of relying on a central command server, the malware exchanges instructions through peer-to-peer connections between infected systems.
This decentralized communication method can make the malware more resilient and difficult to track. If one node in the network is removed, others may continue operating and sharing commands.
CISA warns China-linked hacking group continues long-running campaign against 80 countries
Another notable feature of PeerTime is its compatibility with several CPU architectures. This allows the malware to operate across different hardware types, including devices that manage network routing, switching, or traffic control.
Researchers also observed debugging messages written in Simplified Chinese within the malware code. These technical indicators suggest that Chinese-speaking operators may have developed or deployed the tools used in the campaign.
BruteEntry Converts Compromised Devices into Attack Platforms
The third tool used in the campaign is called BruteEntry, which plays a different role from the other malware families. While the backdoors focus on gaining and maintaining access, BruteEntry turns infected machines into active attack systems.
BruteEntry is written in the Go programming language and functions as a brute-force scanning tool. It is typically deployed on network edge devices that connect telecom networks to external internet infrastructure.
Once installed, the malware transforms the infected device into what researchers describe as an Operational Relay Box, or ORB. These ORBs act as proxy nodes that attackers can use to conduct scanning and password-guessing attacks against other systems.
After registering with a command server, the malware receives lists of targets that include IP addresses and the services to attack. It then attempts to log in to those services using built-in credential combinations.
The services targeted by the malware include commonly used platforms such as SSH servers, PostgreSQL databases, and Apache Tomcat systems. When successful logins occur, the malware reports the results back to the command infrastructure.
Norway uncovers massive rare earth reserves in strategic blow to China dominance
This approach allows attackers to use compromised telecom equipment as launching points for additional cyber activity. By distributing attacks across many infected machines, the operation can hide the original source of the activity and expand its reach across different networks.
Security analysts also noted similarities between this campaign and techniques previously associated with other known cyber espionage groups. However, researchers stated that no confirmed connection has yet been established with certain other widely discussed threat operations.
