Salt Typhoon
Salt Typhoon is a Chinese state-backed advanced persistent threat group assessed to be operated by the PRC Ministry of State Security (MSS). It is also referred to in the provided content as GhostEmperor, FamousSparrow, Earth Estries, and UNC2286. The group has conducted cyber-espionage operations against the United States and more than 80 other countries, with a particular focus on telecommunications infrastructure, ISPs, government entities, hotels, and private companies. Reported activity includes compromise of U.S. telecom infrastructure, access to metadata on more than one million U.S. mobile phone users, and access to systems used for court-authorized wiretapping.
The content states that Salt Typhoon relies on exploitation of vulnerabilities, including zero-days and remote code execution flaws in business software, and is not known to use social engineering. Some infrastructure identified by Silent Push was linked to command-and-control activity for malware including the Demodex rootkit and the Snappybee and Ghostspider backdoors. Silent Push reported dozens of previously unreported domains associated with Salt Typhoon and related PRC state-backed actors, identifying 45 domains dating back to at least May 2020. These domains were reportedly registered with fake personas, non-existent U.S. addresses, and ProtonMail accounts, and commonly used .com TLDs and shared name servers including 1domainregistry.com, orderbox-dns.com, monovm.com, and naracauva.com.ru. Some domains were parked, hosted default pages, or later pointed to sinkholes.
The content also notes infrastructure overlap and similar TTPs between Salt Typhoon and UNC4841, a China-linked actor known for exploiting a Barracuda Email Security Gateway zero-day in 2023. Defenders were urged to review historical DNS, telemetry, and log data for related domains and IPs because the actor emphasizes long-term, stealthy access and possible pre-positioning in critical infrastructure and operational technology environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Salt Typhoon is a Chinese threat actor believed to be operated by the PRC’s Ministry of State Security (MSS). This group has conducted numerous high-profile cyber-espionage campaigns against the United States, as well as against over 80 other countries across the world that are geopolitical competitors with China.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A threat actor group (also known as UNC4841) involved in malicious cyber operations, recently associated with new domain infrastructure.
Salt Typhoon is a Chinese APT group specializing in long-term, stealthy cyber-espionage operations. It is known for targeting telecom infrastructure and ISPs globally, especially in the U.S., to obtain sensitive metadata and access to wiretapping systems. The group exploits zero-day and other vulnerabilities in public-facing servers and business software to gain unauthorized access, and deploys custom malware such as the Demodex rootkit, Snappybee, and Ghostspider backdoors for persistence and control.
Chinese state-sponsored surveillance-focused cyber threat cluster that compromised U.S. telecommunications providers to access information on high-value targets, including senior U.S. political figures.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.