At some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.
TernDoor
TernDoor is a Windows backdoor used by the China-linked threat cluster UAT-9244, which Cisco Talos assessed overlaps with FamousSparrow and Tropic Trooper.
Profile source: Mallory opens in a new tabTernDoor
Family profile
TernDoor is a Windows backdoor used by the China-linked threat cluster UAT-9244, which Cisco Talos assessed overlaps with FamousSparrow and Tropic Trooper. It has been described as a new variant of the previously disclosed CrowDoor malware, with lineage tracing further back to SparrowDoor. Public reporting places its use in attacks against South American telecommunications providers since at least 2024, and in a separate multi-wave intrusion against an Azerbaijani oil and gas company in late January or early February 2026, where Bitdefender linked the broader operation to FamousSparrow with moderate-to-high confidence.
TernDoor is delivered via DLL sideloading. In telecom-targeting activity, the observed chain used the legitimate executable wsprint.exe to load a malicious BugSplatRc64.dll loader, which decrypted an encoded payload file WSPrint.dll and executed it in memory, after which the malware was injected into msiexec.exe. Reporting also describes a six-layer unpacking/decryption chain involving RC4, a SUB-XOR-ADD transform, LZNT1 decompression, header restoration, and reflective PE loading; one reported RC4 key was "qwiozpVngruhg123". In the Azerbaijani intrusion, attackers attempted to deploy TernDoor through a USOShared sideloading chain using a renamed deskband_injector64.exe binary and a malicious winmm.dll, with forensic artifacts indicating use of the Mofu loader; that attempt was reportedly blocked.
Documented capabilities include command-and-control communications, remote command execution, file read/write and manipulation, arbitrary process execution, system information gathering, and self-removal via a "-u" switch. TernDoor supports persistence through a scheduled task named WSPrint, a Registry Run key, and Windows service installation; some reporting states it modifies task-related registry keys to hide the scheduled task from standard views. It also contains or drops an AES-encrypted kernel driver, WSPrint.sys, activated as a service, which creates the device \\Device\\VMTool and can suspend, resume, or terminate processes. Additional reported behavior includes named-pipe communications using the format \\.\pipe\fg64s5%d for lateral movement, antivirus enumeration, OS fingerprinting, VMware detection, token manipulation, proxy traversal using CONNECT and Proxy-Authentication/SSPI, and use of a custom TLS 1.3 implementation rather than Windows SChannel.
Reported configuration and infrastructure details include HTTP POST beacon paths /3256.php?pass=356324 and /347561.php?id=4636, hardcoded authentication tokens, storage of encrypted real C2 IPs in HKCU\Software\CLASSES\A while using 127.0.0.1:443 as a placeholder in the binary, and AES-128-CBC encryption for C2 payloads and the embedded driver derived from the password "bsy436^745vA fbw". Publicly reported indicators include live TernDoor C2 servers 154.205.154[.]82:443, 207.148.121[.]95:443, and 207.148.120[.]52:443, all presenting the same expired self-signed certificate with CN 8.8.8.8 and SHA256 fingerprint 0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8. Additional artifacts reported in connection with deployment or persistence include C:\ProgramData\WSPrint, WSPrint.exe, BugSplatRc64.dll, WSPrint.dll, WSPrint.sys, cache.dat, HKLM\SYSTEM\ControlSet001\Services\vmflt, and attempted installation of vmflt.sys in the Azerbaijani case.
Reported operators
Threat actors
4 named in public reportingUAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor...
UAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor...
"The first backdoor, “TernDoor,” is a new variation of the previously disclosed, Windows-based, CrowDoor malware."
Exploited software
Vulnerabilities linked to TernDoor
2 CVEsMITRE ATT&CK
TernDoor in ATT&CK
29 distinct techniquesTechniques
29 techniquesReporting
Research mentioning TernDoor
Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network
The operation deployed two distinct backdoor families, Deed RAT and Terndoor, across different stages.
China-linked hackers target Azerbaijani oil firm in multi-wave attack | brief | SC Media
This was followed by TernDoor in late January/early February 2026, and a modified Deed RAT in late February 2026.
Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that's used by multiple China-nexus espionage groups, and TernDoor, which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024.
FamousSparrow APT Targets Azerbaijani Oil and Gas Industry
At some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.
TernDoor Unpacked: Cracking a Chinese APT's Multi-Layer Backdoor Targeting South American Telecom - Breakglass Intelligence - Breakglass Intelligence
UAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor...
CTO at NCSC Summary: week ending March 8th
"The first backdoor, “TernDoor,” is a new variation of the previously disclosed, Windows-based, CrowDoor malware."
Chinese APT taps novel malware in telco attacks | brief | SC Media
Telecommunications providers across South America have been targeted by China-linked advanced persistent threat operation UAT-9244 with the newly discovered TernDoor and PeerTime backdoors for Windows and Linux, respectively... UAT-9244... leveraged DLL sideloading to deliver TernDoor...
China-Nexus Hackers Attacking Telecommunication Providers With New Malware
“TernDoor is a Windows backdoor and a new variant of the previously documented CrowDoor malware.”