Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

BruteEntry

BruteEntry is a Go-based brute-force scanner used by the China-nexus threat cluster UAT-9244 in operations targeting telecommunications providers in South America since at least 2024. It is typically installed on compromised network edge devices and converts them into Operational Relay Boxes (ORBs) or mass-scanning proxy nodes that obscure the origin of the actor’s activity. BruteEntry is used to scan exposed services and conduct credential brute-force attacks against SSH, PostgreSQL, and Apache Tomcat servers using built-in username and password lists, then report successful credentials back to attacker infrastructure. Reported command-and-control behavior includes registration and tasking over an HTTP/JSON REST API with endpoints such as /register, /heartbeat, /tasks/<agent_id>, and /results. Cisco Talos and related reporting associate BruteEntry with UAT-9244 and assess overlap between that cluster and FamousSparrow and Tropic Trooper. A reported BruteEntry C2 server was 212.11.64[.]105:8085, which was also shared with TernDoor-related infrastructure.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAT-9244

BruteEntry is a Go-based brute force scanner that compromises internet-facing services and converts them into Operational Relay Boxes (ORBs) -- proxy nodes that obscure the true origin of UAT-9244's operations.

via breakglass intelintel.breakglass.tech
Famous Sparrow

"...a brute force scanner, which Talos tracks as “BruteEntry.” ... converting them into mass-scanning proxy nodes ... that attempt to brute force into SSH, Postgres, and Tomcat servers."

via ctoatncsc substackctoatncsc.substack.com
Tropic Trooper

The third component, BruteEntry, is used to convert compromised edge devices into scanning infrastructure... capable of conducting credential brute-force attacks against exposed services.

via bank info securitybankinfosecurity.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1595Active ScanningEvidence1

"...convert compromised edge devices into scanning infrastructure... receives lists of IP addresses to probe."

Resource Development

1 technique
T1584.004ServerEvidence1

MITRE ATT&CK Mapping ... Resource Development T1584.004 Server ORB infrastructure from brute-forced hosts

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

"The exact initial access method used in the attacks is not known, although the adversary has previously targeted systems running outdated versions of Windows Server and Microsoft Exchange Server to drop web shells for follow-on activity."

Credential Access

2 techniques
T1110Brute ForceEvidence8

“...attempt to brute force into SSH, Postgres, and Tomcat servers.”

T1110.001Password GuessingEvidence1

MITRE ATT&CK Mapping ... Credential Access T1110.001 Password Guessing SSH/PostgreSQL/Tomcat brute force (BruteEntry)

Lateral Movement

1 technique
T1021.004SSHEvidence1

“BruteEntry… attempt to brute force into SSH, Postgres, and Tomcat servers… The agent will then use a set of embedded credentials to attempt to brute force into… ‘ssh’.”

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1

“PeerTime… backdoor that uses the BitTorrent protocol to conduct malicious operations…”

T1090ProxyEvidence3

“...converting them into mass-scanning proxy nodes, also known as Operational Relay Boxes (ORBs)…”

T1090.002External ProxyEvidence1

“BruteEntry is typically installed on network edge devices, essentially converting them into mass-scanning proxy nodes, also known as Operational Relay Boxes (ORBs)…”

T1090.003Multi-hop ProxyEvidence1

MITRE ATT&CK Mapping ... Command and Control T1090.003 Multi-hop Proxy ORB network via BruteEntry compromised hosts

T1105Ingress Tool TransferEvidence1

"targeted... with the newly discovered TernDoor and PeerTime backdoors... as well as the BruteEntry brute-force scanner"

INDICATORS OF COMPROMISE

IOCs tracked for this family

12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
11 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
breakglass intelNews
Mar 8, 2026
TernDoor Unpacked: Cracking a Chinese APT's Multi-Layer Backdoor Targeting South American Telecom - Breakglass Intelligence - Breakglass Intelligence

Go-based Linux ELF brute-force tool with an HTTP/JSON REST API C2. It targets SSH, PostgreSQL, and Apache Tomcat using hardcoded credential lists and turns compromised hosts into Operational Relay Boxes for proxying attacker activity.

Read more
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

A brute-force scanning tool typically installed on edge devices to mass-scan and brute-force services (SSH/Postgres/Tomcat), turning devices into ORB-like relay/proxy nodes.

Read more
scworldNews
Mar 6, 2026
Chinese APT taps novel malware in telco attacks | brief | SC Media

Brute-force scanning tool used to turn compromised devices into relay infrastructure and to conduct brute-force attacks against SSH, Tomcat, and PostgreSQL services.

Read more
cyber security newsNews
Mar 6, 2026
China-Nexus Hackers Attacking Telecommunication Providers With New Malware

Edge-device implant that converts compromised network edge devices into ORB relay nodes used to conduct brute-force activity (notably against SSH, PostgreSQL, and Apache Tomcat) to expand attacker foothold and infrastructure reach.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching12

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.