EspionageChina33 malware familiesExploits CVEs in the wild

Salt Typhoon

Also known asEarth EstriesFamousSparrowGhostEmperorOPERATOR PANDARed MikeREDMIKESalt Typhoonunc2286UNC5807

GhostEmperor is referenced with aliases including Earth Estries, FamousSparrow, Operator Panda, RedMike/Red Mike, Salt Typhoon, UNC2286, and UNC5807. Based on the provided content, the most widely recognized current name is Salt Typhoon. The content describes Salt Typhoon as a PRC-linked, China-aligned threat group involved in cyber espionage and persistent access operations, including maintaining long-term access inside major U.S. telecommunications providers in 2024. The group is discussed in the context of Chinese state-sponsored activity and broader Chinese contractor-enabled cyber operations. The reporting associates Salt Typhoon with telecommunications targeting and strategic intelligence collection. The content states that the group operated infrastructure useful for Harvest Now, Decrypt Later collection at scale, and that U.S. regulators cited Salt Typhoon-type incidents when tightening telecom and submarine cable security rules. Additional reporting says U.S. and partner governments attributed Salt Typhoon activity to at least three China-based private firms, and the UK NCSC stated that private firms enabled the activity, though specific tasking relationships and roles remained largely undescribed publicly as of mid-2025. Tradecraft directly associated with Salt Typhoon in the content centers heavily on Cisco network device activity. Splunk analytics tied to the Salt Typhoon analytic story describe suspicious behaviors including Cisco IOS-XE tunnel interface creation with tunnel source and destination plus 10.10.12.0/24 addressing; suspicious use of "request platform software package describe" with shell-style filename patterns; WebUI programmatic configuration via the SEP_webui_wsma_http process; WebUI logins involving local port 21111 as a strong indicator of exploitation; bursts of SSH, Telnet-to-port-22, and ping activity across multiple IPs in a short window; reconnaissance command bursts such as show running-config, show tacacs, show cdp neighbors, show file systems, dir bootflash, and terminal formatting commands; Guestshell enablement followed by destruction; log-clearing sequences including show logging, clear logging, and exit; and rapid VTY access-class removal and re-application following HTTP configuration activity. These behaviors map to reconnaissance, remote services, proxying/tunneling, exploitation of public-facing applications, command execution, defense evasion, and valid-account abuse. The content also places Salt Typhoon among representative Chinese state-sponsored actors alongside APT41 and Volt Typhoon, and cites it as an example of how Chinese cyber campaigns rely on a commercial support layer of private firms, contractors, and data brokers.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Telecommunication Services
Government & Administration

Where they target

Geographies tied to known operations.

🇺🇸 United States

MITRE ATT&CK

Tradecraft

67 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics95 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1590×2

Gather Victim Network Information

T1595

Active Scanning

TA0042

Resource Development

5 techniques

T1583

Acquire Infrastructure

T1583.005

Botnet

T1584

Compromise Infrastructure

T1584.008

Network Devices

T1587

Develop Capabilities

T1587.001

Malware

T1588

Obtain Capabilities

T1588.002

Tool

T1608

Stage Capabilities

TA0001

Initial Access

2 techniques

T1078×2

Valid Accounts

T1078.002

Domain Accounts

T1190×12

Exploit Public-Facing Application

TA0002

Execution

6 techniques

T1047

Windows Management Instrumentation

T1059×3

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003

Windows Command Shell

T1106

Native API

T1203

Exploitation for Client Execution

T1569

System Services

T1569.002

Service Execution

T1574

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

4 techniques

T1078×2

Valid Accounts

T1078.002

Domain Accounts

T1505

Server Software Component

T1505.003×2

Web Shell

T1543

Create or Modify System Process

T1543.003×3

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

5 techniques

T1055×2

Process Injection

T1055.001

Dynamic-link Library Injection

T1055.012

Process Hollowing

T1068

Exploitation for Privilege Escalation

T1078×2

Valid Accounts

T1078.002

Domain Accounts

T1543

Create or Modify System Process

T1543.003×3

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×2

Registry Run Keys / Startup Folder

TA0005

Stealth

8 techniques

T1014

Rootkit

T1055×2

Process Injection

T1055.001

Dynamic-link Library Injection

T1055.012

Process Hollowing

T1070

Indicator Removal

T1070.001

Clear Windows Event Logs

T1078×2

Valid Accounts

T1078.002

Domain Accounts

T1140×4

Deobfuscate/Decode Files or Information

T1564

Hide Artifacts

T1564.003

Hidden Window

T1574

Hijack Execution Flow

T1574.001

DLL

T1620×2

Reflective Code Loading

TA0006

Credential Access

3 techniques

T1003

OS Credential Dumping

T1003.001

LSASS Memory

T1040×3

Network Sniffing

T1056

Input Capture

T1056.001

Keylogging

TA0007

Discovery

12 techniques

T1012

Query Registry

T1016

System Network Configuration Discovery

T1018

Remote System Discovery

T1033

System Owner/User Discovery

T1040×3

Network Sniffing

T1046

Network Service Discovery

T1049

System Network Connections Discovery

T1057

Process Discovery

T1082×2

System Information Discovery

T1083

File and Directory Discovery

T1482

Domain Trust Discovery

T1518

Software Discovery

T1518.001

Security Software Discovery

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

T1021.004

SSH

T1570

Lateral Tool Transfer

TA0009

Collection

3 techniques

T1005

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1213×2

Data from Information Repositories

TA0011

Command and Control

8 techniques

T1008

Fallback Channels

T1071×2

Application Layer Protocol

T1071.001×3

Web Protocols

T1090

Proxy

T1095

Non-Application Layer Protocol

T1105

Ingress Tool Transfer

T1571

Non-Standard Port

T1572

Protocol Tunneling

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

TA0010

Exfiltration

1 technique

T1048

Exfiltration Over Alternative Protocol

TA0040

Impact

1 technique

T1489

Service Stop

ARSENAL

Associated malware families

33 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

SnappyBeeBeyond the delivery mechanism, the operation is characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity.16May 26, 2026

TernDoorAt some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.8May 26, 2026

SparrowDoorThis attack chain was attempting to load the Crowdoor loader, which is half-named after the SparrowDoor backdoor, detailed by ESET... Also, the command-line argument “2” found in a variant related to Tropic Trooper samples is very similar to SparrowDoor “-k” switch functionality.7Jun 14, 2026

ShadowPadThis campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor... The final payloads were SparrowDoor and ShadowPad.6Jun 14, 2026

ZingdoorDeed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor, both of which have been deployed by Earth Estries in late 2024.4May 5, 2026

28 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

24 CVEs this actor has used in observed campaigns. 24 of them exploited in the wild.

CVE-2023-20198Authentication Bypass in Cisco IOS XE Web UIIn the wildEvidence7

The Australian Signals Directorate (ASD) recently issued a high-severity alert about an ongoing cyber attack campaign exploiting a critical vulnerability in Cisco IOS XE devices, tracked as CVE-2023-20198. This vulnerability has a perfect CVSS score of 10.0, reflecting its extreme risk, and has been actively exploited since 2023.

CVE-2022-41040ProxyNotShell SSRF in Microsoft Exchange ServerIn the wildEvidence6

The process command line contained the MSExchangePowerShellAppPool argument, indicating that the attacker exploited the Exchange server via the ProxyNotShell exploit chain... ProxyNotShell (CVE-2022-41040, CVE-2022-41082) is a related exploit chain disclosed in 2022. Both allow unauthenticated attackers to execute code on unpatched Exchange servers.

CVE-2018-0171Cisco Smart Install Remote Code ExecutionIn the wildEvidence5

In 2025, it was reported that Russian government-sponsored ransomware gangs Static Tundra and Salt Typhoon exploited the CVE-2018–0171 vulnerability in unpatched Cisco equipment. The CVE-2018–0171 vulnerability in Cisco IOS and IOS XE allows a remote threat actor to execute arbitrary commands without authentication, and it was disclosed that the vulnerability was used to gain initial access.

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence4

Both groups were also early exploiters of the ProxyLogon vulnerability (CVE-2021-26855) and have used some of the same publicly available tools.

CVE-2023-20273Cisco IOS XE Web UI Post-Authentication Command Injection / Privilege EscalationIn the wildEvidence3

Salt Typhoon has exploited vulnerabilities in Cisco edge devices (notably CVE-2023-20198 and CVE-2023-20273) to gain unauthorized access to telecom networks.

19 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

159 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

159 IOCsView more in app

Domains

88 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+80

hash.md5

21 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+13

ip.v4

19 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+11

hash.sha256

18 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+10

hash.sha1

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

uri

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

the record mediaNews

Jun 26, 2026

FCC votes to toughen rules in bid to better protect undersea cables | The Record from Recorded Future News

Referenced as an ongoing cyber threat problem tied to hacks affecting U.S. concerns around telecommunications and critical infrastructure security.

Jun 26, 2026

Even the Secret Service won't use company-issued phones

Referenced as a threat actor associated with recording calls of top American officials.

thecybersecguruNews

Jun 25, 2026

Post-Quantum Encryption Explained: The US Push, NIST & HNDL | The CyberSec Guru

Maintained persistent access inside major US telecommunications providers, with infrastructure and access patterns described as useful for large-scale Harvest Now, Decrypt Later collection.

cyber security newsNews

Jun 22, 2026

Chinese Cyber Contractors Use Malware, Botnets, and Stolen Data to Enable State Operations - Cyber Security News

Cyber espionage campaign against Western telecommunications infrastructure, described as relying on China-based private firms that enabled the activity.

+194 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping67

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal33

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs24

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables159

Domains, IPs, and hashes tied to this actor, refreshed continuously.