Skip to main content
Mallory
Back to threat actors
EspionageChina🇨🇳 CN32 malware familiesExploits CVEs in the wild

Salt Typhoon

Also known asEarth EstriesFamousSparrowGhostEmperorOPERATOR PANDARed MikeREDMIKESalt Typhoonunc2286UNC5807

Salt Typhoon is a China-linked, state-sponsored espionage threat actor. The provided content identifies Ghost Emperor as overlapping with or tracked under the aliases Earth Estries, FamousSparrow, Operator Panda, RedMike/Red Mike, UNC2286, and UNC5807, with reporting stating that activity partially overlaps with campaigns tracked as Salt Typhoon, RedMike, OPERATOR PANDA, UNC5807, and Ghost Emperor. The content also notes tactical overlap between FamousSparrow and clusters tracked as Earth Estries and Salt Typhoon. The actor is associated primarily with large-scale espionage against telecommunications providers and related infrastructure. Reporting in the content states that Salt Typhoon penetrated global telecommunications networks, including major U.S. providers such as AT&T, Verizon, Lumen, Charter Communications, Windstream, and other telecom companies in dozens of countries. The group reportedly compromised systems used for lawful intercept and court-authorized wiretap requests, obtained a nearly complete list of phone numbers monitored by the U.S. Justice Department lawful intercept system, accessed customer call and text metadata from more than one million users, and in some cases may have captured phone audio involving senior U.S. political figures. Multiple items in the content state that investigators believed the actors retained access for months or longer and that the United States could not confidently assert the actors had been fully removed. The content further states that Salt Typhoon breached a U.S. state National Guard network from March 2024 to December 2024 and likely exfiltrated configuration files, administrator credentials, and network diagrams tied to critical infrastructure organizations and state agencies. A Department of Defense report cited in the content says the group had previously stolen 1,462 configuration files associated with 70 U.S. government and critical infrastructure identities across 12 sectors, including energy, communications, transportation, and wastewater, and assessed that such data could facilitate follow-on intrusions. Targeting described in the content extends beyond telecom. Salt Typhoon or overlapping clusters are mentioned in relation to finance, energy, and utilities sectors. Separate reporting in the content says FamousSparrow targeted a Venezuelan governmental entity connected to maritime affairs, and Bitdefender attributed an intrusion into an Azerbaijani oil and gas company to FamousSparrow with moderate-to-high confidence while noting overlap with the Earth Estries threat ecosystem. Tradecraft and operational characteristics directly mentioned in the content include long-term persistence in victim environments, movement from one telecom network to another, use of dozens of domains over at least five years, and exploitation of telecom and network infrastructure at scale. The broader reporting characterizes Salt Typhoon as part of Chinese state-backed cyber espionage and specifically links the campaign to China and, in some reporting, to China’s Ministry of State Security.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

50 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics64 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1589×2
Gather Victim Identity Information
T1590×2
Gather Victim Network Information
T1595
Active Scanning
TA0042
Resource Development
3 techniques
T1584×3
Compromise Infrastructure
T1584.008×2
Network Devices
T1588
Obtain Capabilities
T1588.002
Tool
T1608
Stage Capabilities
TA0001
Initial Access
5 techniques
T1078×4
Valid Accounts
T1133×2
External Remote Services
T1190×16
Exploit Public-Facing Application
T1195
Supply Chain Compromise
T1199
Trusted Relationship
TA0002
Execution
2 techniques
T1059×3
Command and Scripting Interpreter
T1059.001
PowerShell
T1569
System Services
T1569.002
Service Execution
TA0003
Persistence
5 techniques
T1078×4
Valid Accounts
T1133×2
External Remote Services
T1136×2
Create Account
T1505
Server Software Component
T1505.003×6
Web Shell
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
4 techniques
T1055×2
Process Injection
T1068
Exploitation for Privilege Escalation
T1078×4
Valid Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0005
Stealth
7 techniques
T1014
Rootkit
T1055×2
Process Injection
T1070
Indicator Removal
T1070.001
Clear Windows Event Logs
T1078×4
Valid Accounts
T1140×3
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1620
Reflective Code Loading
TA0112
Defense Impairment
1 technique
T1601
Modify System Image
TA0006
Credential Access
7 techniques
T1003
OS Credential Dumping
T1040×8
Network Sniffing
T1056
Input Capture
T1056.001
Keylogging
T1212
Exploitation for Credential Access
T1552
Unsecured Credentials
T1606
Forge Web Credentials
T1606.001
Web Cookies
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
3 techniques
T1040×8
Network Sniffing
T1046×2
Network Service Discovery
T1082
System Information Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002
SMB/Windows Admin Shares
TA0009
Collection
3 techniques
T1056
Input Capture
T1056.001
Keylogging
T1123
Audio Capture
T1213×7
Data from Information Repositories
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1090
Proxy
T1090.002
External Proxy
T1095
Non-Application Layer Protocol
T1572
Protocol Tunneling
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

32 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SnappyBeeBeyond the delivery mechanism, the operation is characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity.16May 26, 2026
TernDoorAt some stage, remediation actions were taken and the malware was removed from at least one affected system. However, rather than abandoning the intrusion, the attackers returned to the same vulnerable Exchange server nearly a month after the initial compromise attempt. This time, instead of redeploying Deed RAT immediately, they attempted to install a different backdoor identified as Terndoor.8May 26, 2026
ShadowPadEarth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more.4Apr 11, 2026
SparrowDoorTAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile.4Apr 2, 2026
ZingdoorDeed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor, both of which have been deployed by Earth Estries in late 2024.4May 5, 2026

27 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

23 CVEs this actor has used in observed campaigns. 23 of them exploited in the wild.

CVE-2023-20198Cisco IOS XE Web UI Authentication Bypass and Privileged Account CreationIn the wildEvidence7

The Australian Signals Directorate (ASD) recently issued a high-severity alert about an ongoing cyber attack campaign exploiting a critical vulnerability in Cisco IOS XE devices, tracked as CVE-2023-20198. This vulnerability has a perfect CVSS score of 10.0, reflecting its extreme risk, and has been actively exploited since 2023.

CVE-2022-41040ProxyNotShell SSRF in Microsoft Exchange ServerIn the wildEvidence6

The process command line contained the MSExchangePowerShellAppPool argument, indicating that the attacker exploited the Exchange server via the ProxyNotShell exploit chain... ProxyNotShell (CVE-2022-41040, CVE-2022-41082) is a related exploit chain disclosed in 2022. Both allow unauthenticated attackers to execute code on unpatched Exchange servers.

CVE-2018-0171Cisco IOS and IOS XE Smart Install Remote Code ExecutionIn the wildEvidence4

Salt Typhoon has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access.

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence3

The recent FamousSparrow attacks reportedly relied on exposed web applications, ProxyLogon exploitation, and other well-known server-side vulnerabilities.

CVE-2023-20273Cisco IOS XE Web UI Post-Authentication Command Injection / Privilege EscalationIn the wildEvidence3

Salt Typhoon has exploited vulnerabilities in Cisco edge devices (notably CVE-2023-20198 and CVE-2023-20273) to gain unauthorized access to telecom networks.

18 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

129 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

129 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
hackers ariseNews
Jun 3, 2026
Mobile Network Hacking: Chinese APT and Other Hackers Have Infiltrated our Mobile Telecom System! - Hackers Arise

Referenced as an example of a state-sponsored espionage group in the telecom surveillance landscape.

Read more
bleeping computerNews
May 29, 2026
Charter Communications data breach affects 4.9 million accounts

A Chinese state-backed threat group involved in a wave of compromises affecting Charter Communications and multiple telecom providers across many countries.

Read more
register securityNews
May 29, 2026
ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak

Espionage campaign targeting US telecommunications providers.

Read more
eset welivesecurity blogNews
May 28, 2026
ESET APT Activity Report Q4 2025-Q1 2026

Espionage activity targeting a Venezuelan government entity tied to maritime affairs, likely to monitor oil shipment resilience after US intervention.

Read more
+194 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping50

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal32

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs23

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables129

Domains, IPs, and hashes tied to this actor, refreshed continuously.