UAT-9244 is a China-nexus advanced persistent threat (APT) actor disclosed by Cisco Talos on March 5, 2026, who has targeted South American telecommunications providers since 2024.  Researchers assess with high confidence that this group is closely associated with the Famous Sparrow cluster and overlaps operationally with Tropic Trooper, though no solid connection to Salt Typhoon was confirmed despite similar targeting. 

The campaign utilizes three novel malware implants across different platforms to maintain persistent access:

TernDoor: A Windows backdoor derived from CrowDoor that uses DLL side-loading and embeds a driver to suspend or terminate processes. 

PeerTime: An ELF-based backdoor for Linux and embedded systems that leverages the BitTorrent protocol for command-and-control (C2) operations. 

BruteEntry: A scanner installed on network edge devices that converts them into Operational Relay Boxes (ORBs) to brute force SSH, Postgres, and Tomcat servers. 

The actor employs sophisticated evasion techniques, including hiding scheduled tasks, modifying registry keys, and using Simplified Chinese debug strings in their binaries.  While the group shares a focus on telecom infrastructure with Salt Typhoon, Talos explicitly states that no conclusive evidence links UAT-9244 to the Salt Typhoon cluster.