SYMBOLCOMMON_NAMEaka. SYNONYMS
win.terndoor (Back to overview)

TernDoor

Actor(s): UAT-9244

According to Cisco Talos, TernDoor is a Windows backdoor implant delivered as shellcode via a side-loaded DLL-based loader, with the blog not specifying its implementation language. It maintains persistence through scheduled tasks or registry run keys, retrieves an embedded configuration for command-and-control, and provides capabilities such as remote command execution, file manipulation, system information collection, and self-uninstallation. TernDoor also deploys an encrypted kernel-mode driver that can hide malicious components and generically suspend, resume, or terminate chosen processes, supporting evasion and process control. The malware checks that it is injected into a legitimate system process before running, further helping it blend into normal activity.

References
2026-03-05Cisco TalosAsheer Malhotra, Brandon White
UAT-9244 targets South American telecommunication providers with three new malware implants
BruteEntry PeerTime TernDoor UAT-9244

There is no Yara-Signature yet.