TernDoor Unpacked: Cracking a Chinese APT's Multi-Layer Backdoor Targeting South American Telecom

Published: 2026-03-08 | Author: BGI | Classification: TLP:CLEAR

TL;DR

UAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor -- cracking its six-layer unpacking chain, decoding its ADD-XOR-SUB string obfuscation algorithm, extracting hardcoded C2 beacon paths with authentication tokens, and confirming three C2 servers remain live as of March 8, 2026. The campaign also deploys PeerTime (a Linux backdoor using BitTorrent for C2) and BruteEntry (a Go-based brute forcer that converts compromised infrastructure into Operational Relay Boxes).

---

Campaign Overview

Cisco Talos disclosed UAT-9244 on March 5, 2026, attributing the activity to a cluster overlapping with FamousSparrow (ESET) and Tropic Trooper/KeyBoy/Pirate Panda. The group has been active against South American telecom since at least mid-2024, deploying a three-pronged toolkit:

Malware	Platform	Purpose	C2 Protocol
TernDoor	Windows PE64	Full-featured backdoor (variant of CrowDoor/SparrowDoor)	HTTPS with custom TLS 1.3
PeerTime	Linux ELF (multi-arch)	Persistent backdoor	BitTorrent P2P
BruteEntry	Linux ELF (Go)	Brute force scanner, builds ORB infrastructure	HTTP/JSON REST API

All four MalwareBazaar samples (uploaded by smica83 on March 7, 2026) were analyzed. This writeup focuses on original findings from deep static analysis of TernDoor that go beyond the Talos report.

---

TernDoor: Six-Layer Unpacking Chain

The delivery package arrives as rar.zip containing three files that execute via DLL sideloading:

File	SHA256	Purpose
WSPrint.exe	e49ea6317ca5569a...ea1b2	Legitimate BugSplat crash reporter (v3.6.0.8, compiled 2020-08-05)
BugSplatRc64.dll	3c098a687947938e...29f8ff	Malicious loader (compiled 2024-04-23)
WSPrint.dll	a5e413456ce9fc60...6055e3	Encrypted payload (654 KB, entropy 7.9997)

When WSPrint.exe launches, it loads BugSplatRc64.dll via sideload. The loader resolves APIs through hash lookups (constants 0x62E12ADD, 0x8B0C2DEE, 0x0F0AA921, etc.), constructs the path to WSPrint.dll by replacing its own extension, then decrypts the payload through six distinct layers:

WSPrint.dll (654,119 bytes, entropy 8.00)
  |
  +-- Layer 1: RC4 (key: "qwiozpVngruhg123")
  |     Output: position-independent shellcode (NOP; CALL entry)
  |
  +-- Layer 2: Shellcode header parse
  |     counter_init = 0x3562F082
  |     decomp_size  = 0xEF800 (980,992 bytes)
  |     comp_size    = 0x9F3F5 (652,277 bytes)
  |
  +-- Layer 3: Inline SUB-XOR-ADD transform (self-inverse)
  |     for each byte: byte = ((byte - (counter & 0xFF)) ^ (counter & 0xFF)) + (counter & 0xFF)
  |
  +-- Layer 4: LZNT1 decompression
  |     RtlDecompressBuffer(COMPRESSION_FORMAT_LZNT1)
  |     240 chunks -> 980,992 byte PE image
  |
  +-- Layer 5: MZ/PE header restoration
  |     MZ signature and PE signature zeroed (anti-analysis)
  |     e_lfanew at 0x3C intact (value: 0x108)
  |
  +-- Layer 6: Reflective PE loading
        PEB-walk API resolution via ROR-12 + ADD hashing
        Section mapping, base relocation (HIGHLOW + DIR64), import resolution
        Jump to entry point 0x88844

RC4 Key Schedule (from BugSplatRc64.dll)

The RC4 key is loaded via SSE at RVA 0x133E:

movups xmm0, [rip + 0x1327b]   ; "qwiozpVngruhg123" (16 bytes)
movaps [rsp + 0x660], xmm0     ; store key on stack

Standard KSA permutes a 256-byte S-box using key[i & 0xF], followed by PRGA with the core decryption at RVA 0x1474:

xor byte ptr [r10], cl          ; RC4 keystream XOR

After decryption, call rbp at RVA 0x1482 transfers execution to the shellcode.

Shellcode API Resolution (ROR-12 Hashing)

The shellcode at offset 0x9F407 walks the PEB to resolve five APIs:

Hash	API
0x1DA0A3A1	RtlDecompressBuffer
0x4717A7D0	LoadLibraryA
0x8F592CA3	VirtualAlloc
0xB01FF0A0	GetProcAddress
0xD7656A4F	memcpy

Extracted Payload

The final TernDoor PE (SHA256: d6d960dcaa526d8d0d3e23592801c2c3d1b0e2df596dfcbab8392e846b716d38) is a 1.1 MB AMD64 GUI executable compiled 2024-05-06, importing 211 functions from 8 DLLs. This hash does not appear on MalwareBazaar -- only the encrypted wrapper is publicly available.

---

String Obfuscation Algorithm (Cracked)

TernDoor encrypts all sensitive strings -- HTTP paths, registry keys, WMI queries, pipe names -- using a custom ADD-XOR-SUB cipher. The algorithm was fully reversed:

decoded[i] = ((key[i % 16] + i) ^ (encoded[i] + key[i % 16])) - key[i % 16]

XOR key (ASCII strings): abg%bYCYHvnb%324 (16 bytes at .rdata+0x10528)

This is the second mutex abg%bYCYHvnb%3247v truncated to 16 bytes. The key in hex:

61 62 67 25 62 59 43 59 48 76 6e 62 25 33 32 34
a  b  g  %  b  Y  C  Y  H  v  n  b  %  3  2  4

XOR key (wide strings): kjobIUbb%8745hgUUa (at .rdata+0x164D0)

Used for UTF-16LE registry paths and filenames with the same ADD-XOR-SUB algorithm on wide characters.

Encoded strings are stored as 16-byte aligned blocks in .rdata at offsets 0x1BDC0-0x1C000, loaded onto the stack via movdqa xmm0, [rip+disp] instructions from potentially non-contiguous locations.

---

C2 Protocol (Decoded)

Beacon Paths

Two HTTP POST beacon paths were recovered from XOR-obfuscated strings in .rdata:

Path	Purpose
POST /3256.php?pass=356324 HTTP/1.1	Primary beacon/check-in
POST /347561.php?id=4636 HTTP/1.1	Secondary path (task retrieval / data exfiltration)

Both embed hardcoded authentication tokens in the query string: pass=356324 acts as a session password, id=4636 as an operator or campaign identifier.

HTTP Headers

Header	Value
User-Agent	%s (format string -- configurable per-target)
Content-Type	text/... (truncated)
Connection	Keep-Alive
Cache-Control	no-cache
Content-Length	%d
Accept-Language	Present (locale string)

Proxy Traversal

TernDoor can tunnel through corporate HTTP proxies:

CONNECT %s:%d HTTP/1.1\r\nHOST: %s

The CONNECT template is paired with Proxy-Authentication headers and SSPI/Negotiate auth via Secur32.dll!InitSecurityInterfaceA -- meaning it can authenticate to enterprise proxies using the compromised machine's domain credentials.

Custom TLS 1.3 Stack

The backdoor implements its own TLS 1.3 via the MysslConn class, bypassing Windows SChannel entirely. This defeats enterprise SSL inspection proxies that rely on intercepting SChannel calls.

Supported cryptographic primitives:

• ECC curves: secp256k1, secp256r1, secp384r1, secp521r1, secp224k1, secp224r1, secp192r1, SECP112R1, SECP128R1, SECP160R1
• Hash algorithms: SHA-256, SHA-384, SHA-512
• Stream ciphers: ChaCha20/Salsa20 (expand 32-byte k, expand 16-byte k)
• DH groups: ffdhe2048 through ffdhe8192 (RFC 7919)
• 72-byte ECC public key embedded at .rdata+0x1B500 for key exchange

C2 Data Encryption

All C2 payloads are encrypted using AES-128-CBC via the Windows CryptoAPI pipeline:

CryptAcquireContext("Microsoft Base Cryptographic Provider v1.0")
  -> CryptCreateHash(CALG_MD5 = 0x8003)
    -> CryptHashData(password, 16)
      -> CryptDeriveKey(CALG_AES_128 = 0x660E)
        -> CryptDecrypt(final=TRUE)

Password: bsy436^745vA fbw (16 bytes ASCII, loaded via SSE at 0x14000148D) Derived key: 3e650696ad4c5564065bd0155beeb782 (MD5 of password)

This same function at VA 0x140001470 is called from three locations:

• 0x14004DCC9 -- decrypting received C2 data
• 0x14004F885 -- decrypting task payloads
• 0x14004F985 -- decrypting the embedded kernel driver

Five Communication Channels

The C++ class hierarchy (extracted from RTTI) reveals five transport protocols sharing a common Conn interface:

Conn (base class)
  +-- TcpConn          Raw TCP via WS2_32
  +-- TLSConn          Custom TLS 1.3
  +-- HttpConn         HTTP/1.0 and HTTP/1.1
  +-- HttpsConn        HTTPS (HttpConn + TLS)
  +-- MysslConn        Custom SSL implementation
  +-- PipeConn         Named pipe client

Listener (base class)
  +-- PipeListener     Named pipe server

All classes use std::shared_ptr (confirmed by _Ref_count_obj2 RTTI templates), indicating reference-counted connection management.

C2 IP Storage

The C2 addresses are not hardcoded as plaintext in the binary. The binary contains 127.0.0.1:443 as a placeholder. Real C2 IPs are stored encrypted in registry key HKCU\Software\CLASSES\A and decrypted at runtime via the same CryptDeriveKey pipeline. The addresses are likely delivered by the initial stager or encoded per-instruction in the code (requiring emulation to extract).

---

Named Pipe Lateral Movement

Pipe name format: \\.\pipe\fg64s5%d

The %d is replaced with a runtime value (PID or session ID). Because PipeConn and PipeListener share the same Conn interface as TCP/TLS/HTTP transports, the full C2 command set is available over named pipes. This enables lateral movement within a compromised network with zero external network traffic.

Synchronization event: Global\the123(%08x) (hex PID format)

---

Embedded Kernel Driver (EDR Killer)

A 9,744-byte (0x2610) AES-encrypted blob sits in the .data section at offset 0x1FD0. At runtime, TernDoor:

1. Allocates 0x2612 bytes and copies the blob
2. Decrypts via the same AES-128-CBC CryptDeriveKey pipeline
3. Loads ntdll.dll to call RtlCreateRegistryKey and RtlWriteRegistryValue
4. Drops the driver to disk as WSPrint.sys
5. Registers via SYSTEM\CurrentControlSet\Services
6. Sets ImagePath to \??\<path>\WSPrint.sys

Property	Value
Device name	\\Device\\VMTool
Symlink	\\DosDevices\\VMTool
SHA256	2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538
Capabilities	Suspend, resume, terminate processes
Privilege	Loaded via SeTakeOwnershipPrivilege + RtlAdjustPrivilege

The device name \\Device\\VMTool serves a dual purpose: it masquerades as a VMware component, and TernDoor checks for this same device name during sandbox detection. If the device already exists (VMware guest), TernDoor knows it is in a VM. If it does not exist, TernDoor creates it for its own driver.

---

Persistence Arsenal

TernDoor deploys four independent persistence mechanisms:

Method	Detail
Scheduled Task	schtasks /create /tn WSPrint /tr "C:\ProgramData\WSPrint\WSPrint.exe" /ru "SYSTEM" /sc onstart /F
Task Hiding	Deletes SD key in TaskCache\Tree\WSPrint, sets Index=0
Registry Run Key	HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service	SYSTEM\CurrentControlSet\Services\WSPrint via CreateServiceW

Install directory: C:\ProgramData\WSPrint\

---

Anti-Analysis and Evasion

• WMI AV enumeration: SELECT * FROM AntiVirusProduct via ROOT\SecurityCenter2 (decoded from .rdata+0x1BEB0)
• OS fingerprinting: Reads ProductName from SOFTWARE\Microsoft\Windows NT\CurrentVersion
• VMware detection: Checks \\Device\\VMTool existence
• Process monitoring: References to sexplorer.exe and msiexec.exe (likely injection targets)
• Privilege escalation: AdjustTokenPrivileges, DuplicateTokenEx + CreateProcessAsUserW for token impersonation, RtlAdjustPrivilege for direct privilege manipulation
• Custom TLS: Bypasses enterprise SSL inspection by avoiding SChannel

---

PeerTime: BitTorrent as C2

PeerTime is a Linux backdoor that uses the BitTorrent protocol for command and control -- a novel approach that blends C2 traffic with legitimate P2P traffic.

Property	Value
SHA256	34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91
Type	ELF 64-bit, statically linked (C/C++ variant, Rust variant also exists)
Size	1.6 MB, stripped
Architectures	AMD64, ARM, AARCH64, PowerPC, MIPS
Persistence	Crontab injection: (crontab -l ; echo "@reboot %s") | crontab -

Capabilities: Process renaming for evasion, payload download from peers, file execution via BusyBox, Chinese debug strings ("Error retrieving current program path").

PeerTime Infrastructure

All three C2 domains were registered at NameCheap within 48 hours (May 22-24, 2025), all using Cloudflare nameservers apollo.ns.cloudflare.com / noor.ns.cloudflare.com:

Domain	Registered	Status
bloopencil[.]net	2025-05-22	NOT resolving
xtibh[.]com	2025-05-24	LIVE (104.21.66.205 / 172.67.207.64)
xcit76[.]com	2025-05-24	LIVE (172.67.130.119 / 104.21.3.75)

IP	Purpose
185.196.10[.]247	Staging server (SSH + MySQL exposed), Global-Data SC
185.196.10[.]38	C2 server, Global-Data SC

Mandiant Backscatter tracks PeerTime as malware_config:angrypeer.

---

BruteEntry: Building the ORB Network

BruteEntry is a Go-based brute force scanner that compromises internet-facing services and converts them into Operational Relay Boxes (ORBs) -- proxy nodes that obscure the true origin of UAT-9244's operations.

Property	Value
SHA256	66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611
Type	ELF 64-bit, statically linked Go (not stripped, debug_info present)
Size	14 MB
Go BuildID	oqraikdc7AiBldRSrDwp/...
Developer path	E:\toolss\golang (Windows dev environment, note "toolss" typo)

Go Function Symbols

main.main
main.NewAgent
main.NewResultCollector
main.extractHostPort
main.getCredentials
main.getOutboundIP
main.(*Agent).brutePostgres
main.(*Agent).bruteTomcat

C2 Protocol (HTTP/JSON REST API)

POST /register          -> Returns agent_id, server version
                           "Registered as agent: %s (Server: %s)"

GET  /heartbeat         -> Keepalive

GET  /tasks/<agent_id>?limit=1000
                        -> Returns JSON with target IPs and scan types

POST /results           -> "Cracked by agent %s | Version: %s"
                        -> Or: "All credentials tried"

C2 server: 212.11.64.105:8085 (Global-Data System IT Corp, Seychelles/Switzerland, hostname gyuhbi). This IP is shared with TernDoor infrastructure.

Brute Force Targets

Service	Library	Target
SSH	golang.org/x/crypto/ssh	Port 22
PostgreSQL	github.com/jackc/pgx/v5	Port 5432
Apache Tomcat	HTTP	/manager/html

Hardcoded Credential Lists

Usernames: admin, root, test, user, postgres, tomcat, manager, ubuntu

Passwords: password, 1qaz2wsx, 12345678, admin123, 111111, 123456, s3cret, qwerty, 555111111!!

---

Infrastructure Clustering

Hosting Providers

Provider	Location	Used For
Vultr	Singapore	TernDoor C2 (Windows VPS with RDP/WinRM)
Lightnode Limited	Argentina	TernDoor C2 (positioned in target geography)
Global-Data System IT Corp	Seychelles/Switzerland	BruteEntry C2 + PeerTime staging + TernDoor shared infra
NameCheap	--	Domain registrar for PeerTime
Cloudflare	--	DNS proxy for PeerTime domains

Shared SSL Certificate (TernDoor C2s)

All three TernDoor C2 servers share an identical self-signed certificate:

Field	Value
CN	8.8.8.8
O	Internet Widgits Pty Ltd
C	US, ST=Some-State
SHA256	0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8
Validity	2022-09-04 to 2023-09-04 (deliberately expired)

Using Google's public DNS IP as the CN is a weak but intentional misdirection. The certificate being expired by three years and still in active use indicates UAT-9244 does not validate server certificates in the backdoor's custom TLS stack.

C2 Liveness (2026-03-08 ~05:14 UTC)

IP	Port	Status
154.205.154[.]82	443	LIVE (TLS socket, expired CN=8.8.8.8 cert)
207.148.121[.]95	443	LIVE (same cert)
207.148.120[.]52	443	LIVE (same cert)
212.11.64[.]105	8085	DOWN (connection refused)

Three out of three TernDoor C2 servers remain operational.

18 Suspected Additional UAT-9244 IPs

Identified via shared certificate, port fingerprint, and hosting correlation:

149.28.25[.]33      Vultr       (22/443/3389, hostname: arbitterminal.online)
154.205.154[.]194   Lightnode
154.205.154[.]65    Lightnode
154.205.154[.]70    Lightnode
154.223.21[.]130
154.223.21[.]194
158.247.238[.]240   Vultr       (443/3389/5985)
216.238.112[.]222
216.238.123[.]242
216.238.94[.]37
38.54.125[.]134
38.60.199[.]34                  (135/137/139/443/3389/5985, EOL OS)
45.32.106[.]94
45.77.34[.]194      Vultr       (22/80, EOL product)
45.77.41[.]141
47.76.100[.]159                 (22/50000)
64.190.113[.]170                (80)
64.95.10[.]253                  (3389)

---

Compilation Timeline

Date	Event
2020-08-05	WSPrint.exe compiled (legitimate BugSplat v3.6.0.8)
2024-04-23	BugSplatRc64.dll compiled (malicious loader)
2024-05-06	TernDoor payload compiled (+13 days)
2025-05-22-24	PeerTime C2 domains registered at NameCheap
2026-03-05	Cisco Talos publishes UAT-9244 research
2026-03-07	Samples uploaded to MalwareBazaar

The 22-month gap between TernDoor compilation (May 2024) and public disclosure (March 2026) indicates the malware operated undetected against telecom targets throughout 2024 and 2025. The 13-day gap between loader and payload compilation points to a multi-stage build pipeline. The PeerTime domains (registered May 2025) suggest the campaign expanded to Linux targets roughly a year after the Windows toolkit was built.

---

Attribution

Cisco Talos assesses with high confidence that UAT-9244 overlaps with FamousSparrow and Tropic Trooper (KeyBoy, Pirate Panda).

Evidence	Detail
Malware lineage	TernDoor is a variant of CrowDoor, which is a variant of SparrowDoor (FamousSparrow's signature backdoor)
TTPs	DLL sideloading, scheduled task persistence, process-killing driver
Victimology	Telecommunications sector targeting
Prior reporting	ESET documented FamousSparrow targeting US/Mexico orgs (March 2025)
Language artifacts	Chinese debug strings in PeerTime ("Error retrieving current program path")
Developer artifacts	E:\toolss\golang path in BruteEntry (Windows dev environment, non-standard English)

Talos explicitly states this is not Salt Typhoon, despite both clusters targeting telecom: "Talos has not been able to verify or establish a solid connection between the two clusters."

---

MITRE ATT&CK Mapping

Tactic	Technique	Implementation
Execution	T1129 Shared Modules	WSPrint.exe loads BugSplatRc64.dll
Persistence	T1053.005 Scheduled Task	schtasks /create /tn WSPrint /sc onstart
Persistence	T1547.001 Registry Run Key	HKCU\...\CurrentVersion\Run
Persistence	T1053.003 Cron	@reboot crontab (PeerTime)
Defense Evasion	T1574.002 DLL Side-Loading	Legitimate signed BugSplat binary
Defense Evasion	T1014 Rootkit	WSPrint.sys (\\Device\\VMTool) process killer
Defense Evasion	T1070 Indicator Removal	Scheduled task SD key deletion, Index=0
Defense Evasion	T1140 Deobfuscate/Decode	RC4 + SUB-XOR-ADD + LZNT1 + ADD-XOR-SUB string cipher
Defense Evasion	T1027.002 Software Packing	Six-layer unpacking chain with reflective PE loading
Command and Control	T1071.001 Web Protocols	HTTPS POST to .php endpoints with auth tokens
Command and Control	T1573.001 Symmetric Cryptography	AES-128-CBC via CryptDeriveKey
Command and Control	T1095 Non-Application Layer	Custom TLS 1.3, BitTorrent (PeerTime)
Command and Control	T1090.003 Multi-hop Proxy	ORB network via BruteEntry compromised hosts
Credential Access	T1110.001 Password Guessing	SSH/PostgreSQL/Tomcat brute force (BruteEntry)
Resource Development	T1584.004 Server	ORB infrastructure from brute-forced hosts
Lateral Movement	T1570 Lateral Tool Transfer	Named pipe \\.\pipe\fg64s5%d with full C2 command set

---

Detection Opportunities

Network Signatures

1. HTTP POST to .php with pass= or id= query parameter over port 443 with self-signed cert CN=8.8.8.8
2. TLS handshake not using Windows SChannel (custom implementation with non-standard curve negotiation)
3. CONNECT method with Proxy-Authentication header to port 443 destinations
4. SSL certificate SHA256 0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8
5. BitTorrent protocol traffic from servers that should not be running P2P (PeerTime)
6. HTTP REST API traffic to port 8085 with /register, /heartbeat, /tasks/, /results paths (BruteEntry)

Host Signatures

1. Mutex kjobIUbb%8745hgUUa or abg%bYCYHvnb%3247v
2. Named pipe matching \\.\pipe\fg64s5 followed by digits
3. Registry key HKCU\Software\CLASSES\A with encrypted binary data
4. Driver device \\Device\\VMTool or \\DosDevices\\VMTool (when not running VMware)
5. Scheduled task WSPrint running as SYSTEM on startup
6. Directory C:\ProgramData\WSPrint\ containing WSPrint.exe, BugSplatRc64.dll, WSPrint.dll, WSPrint.sys
7. Crontab entry with @reboot pointing to an unexpected binary (PeerTime)

YARA Concepts

• String bsy436^745vA fbw (AES password, unique to TernDoor)
• String qwiozpVngruhg123 (RC4 key in loader)
• Byte sequence 61 62 67 25 62 59 43 59 48 76 6e 62 25 33 32 34 (XOR key)
• RTTI class names MysslConn, ConnExchanger, PipeListener in combination
• CryptoAPI call sequence: CryptCreateHash(0x8003) + CryptDeriveKey(0x660E) in proximity
• Go function symbol main.(*Agent).brutePostgres (BruteEntry)

---

IOCs

File Hashes (SHA256)

Component	SHA256
TernDoor delivery package (rar.zip)	f36913607356a32ea106103387105c635fa923f8ed98ad0194b66ec79e379a02
BugSplatRc64.dll (loader)	711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289
BugSplatRc64.dll (from ZIP)	3c098a687947938e36ab34b9f09a11ebd82d50089cbfe6e237d810faa729f8ff
WSPrint.dll (encrypted payload)	a5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3
RC4-decrypted shellcode	ef03a255ea8e53e0cc314ac15acb06fd0b26e75197258ec2a6fa7ff19af9d5bd
TernDoor PE (reconstructed)	d6d960dcaa526d8d0d3e23592801c2c3d1b0e2df596dfcbab8392e846b716d38
WSPrint.sys (kernel driver)	2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538
BruteEntry (os_check_agent)	66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611
PeerTime (amd64_1)	34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91

Network IOCs

IOC	Type	Context
154.205.154[.]82:443	IP:Port	TernDoor C2 (Lightnode, AR) -- LIVE
207.148.121[.]95:443	IP:Port	TernDoor C2 (Vultr, SG) -- LIVE
207.148.120[.]52:443	IP:Port	TernDoor C2 (Vultr, SG) -- LIVE
212.11.64[.]105:8085	IP:Port	BruteEntry C2 + TernDoor shared infra (Global-Data, SC) -- DOWN
185.196.10[.]247	IP	PeerTime staging (Global-Data, SC)
185.196.10[.]38	IP	PeerTime C2 (Global-Data, SC)
bloopencil[.]net	Domain	PeerTime C2 (not resolving)
xtibh[.]com	Domain	PeerTime C2 (LIVE)
xcit76[.]com	Domain	PeerTime C2 (LIVE)
POST /3256.php?pass=356324	URI	TernDoor primary beacon
POST /347561.php?id=4636	URI	TernDoor secondary beacon

Host IOCs

IOC	Type
kjobIUbb%8745hgUUa	Mutex (primary)
abg%bYCYHvnb%3247v	Mutex (secondary) / XOR key
\\.\pipe\fg64s5%d	Named pipe
Global\the123(%08x)	Event name
C:\ProgramData\WSPrint\	Install directory
\\Device\\VMTool	Driver device name
\\DosDevices\\VMTool	Driver symlink
HKCU\Software\CLASSES\A	Encrypted C2 config storage
schtasks /create /tn WSPrint	Persistence task

Encryption Keys

Key	Algorithm	Purpose
qwiozpVngruhg123	RC4	WSPrint.dll payload decryption
abg%bYCYHvnb%324	ADD-XOR-SUB	ASCII string obfuscation
kjobIUbb%8745hgUUa	ADD-XOR-SUB	Wide string obfuscation
bsy436^745vA fbw	MD5 -> AES-128-CBC	C2 data + driver decryption

SSL Certificate

Field	Value
CN	8.8.8.8
O	Internet Widgits Pty Ltd
SHA256	0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8
Valid	2022-09-04 to 2023-09-04 (expired)

ClamAV Signatures

• Win.Malware.TernDoor-10058445-0
• Win.Loader.PeerTime
• Unix.Malware.BruteEntry-10058448-0
• Unix.Malware.PeerTime-10058476-0
• SNORT SID: 65551

Imphashes

Component	Imphash
BugSplatRc64.dll (loader)	82f7e0de9b7691e3e972ba4d425169b8
WSPrint.exe (legitimate)	6b4ebbc76a24a32743d71833b7b047b2

---

References

• Cisco Talos: UAT-9244 targets South American telecommunication providers
• ESET: FamousSparrow targeting US/Mexico (March 2025)
• The Hacker News: China-Linked Hackers Use TernDoor
• BleepingComputer: Chinese state hackers target telcos
• GovInfoSecurity: China-Linked Hackers Use Malware Trio