Salt Typhoon Cyber Espionage Campaign Targeting U.S. Telecom and Government Networks
Salt Typhoon, a threat group linked to the People’s Republic of China, conducted a multiyear cyber espionage campaign targeting major U.S. telecom providers such as Verizon, AT&T, and T-Mobile, compromising the data of hundreds of millions of users. The campaign is considered by U.S. officials to be the most significant cyber espionage operation in history, with attackers gaining access to sensitive information including call logs, unencrypted texts, and audio from high-ranking political figures, as well as targeting law enforcement intercept backdoors and military networks. The group’s activities have raised concerns about potential election interference, political blackmail, and threats to national security.
Salt Typhoon exploited unpatched, end-of-life, and forgotten network perimeter devices—such as routers, VPNs, and firewalls—using sophisticated “living off the land” tactics to establish long-term persistence and evade detection. The attackers stole administrator credentials, network traffic diagrams, and personal information from military and state cybersecurity personnel, using this intelligence to fuel further intrusions. The campaign highlights the urgent need for organizations to address technical debt and proactively secure legacy infrastructure, as reactive patching cannot undo compromises on already breached devices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Commentary urges proactive defense for forgotten devices after espionage concerns
A subsequent October 2025 reference emphasized shifting from reactive security to proactive cyber defense, particularly for neglected or forgotten devices exposed during nation-state espionage activity. This reflects an evolution in the public response to the Salt Typhoon-related threat environment.
Salt Typhoon campaign prompts calls to reconfigure U.S. cyber strategy
By October 2025, analysis of the Salt Typhoon espionage activity had driven public calls to rethink U.S. cyber strategy and resilience against nation-state intrusions. The references frame the campaign as a significant enough development to spur debate over proactive defense and protection of overlooked devices.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Salt Typhoon Cyber Espionage Campaign Targeting U.S. Critical Infrastructure
U.S. officials and cybersecurity experts have highlighted the ongoing threat posed by nation-state actors, particularly the Chinese-linked group known as Salt Typhoon, which has conducted widespread cyber intrusions targeting critical American infrastructure. These campaigns have focused on stealing intellectual property, surveilling government officials, and pre-positioning within essential networks such as airports, hospitals, water treatment facilities, and telecom providers, with the intent to disrupt services or gather intelligence at a time of their choosing. The persistence and sophistication of these operations underscore the urgent need for coordinated defense efforts between government agencies and the private sector, as most critical infrastructure is privately owned or operated. Recent incidents attributed to Salt Typhoon include the compromise of multiple U.S. telecom networks, with attackers maintaining access for nearly a year before detection. These breaches exemplify the evolving nature of hybrid and cross-domain threats, where cyber intrusions can cascade into physical and reputational risks. Security leaders are being urged to adopt new, asymmetric approaches to risk management, breaking down traditional silos and ensuring that intelligence and response capabilities keep pace with the rapidly changing threat landscape.
Mar 21, 2026
Salt Typhoon Espionage Attack on European Telecommunications Provider
Salt Typhoon, a China-linked advanced persistent threat (APT) group, conducted a sophisticated cyber espionage campaign targeting a European telecommunications organization. The attackers gained initial access by exploiting a Citrix NetScaler Gateway appliance, then moved laterally to internal Citrix Virtual Delivery Agent hosts. They used DLL sideloading via legitimate antivirus software to deploy the SNAPPYBEE (Deed RAT) backdoor, leveraging LightNode VPS endpoints and non-standard protocols for command-and-control to evade detection. The operation was detected by Darktrace and highlights the group’s focus on intelligence collection and geopolitical influence across critical infrastructure sectors. Security experts emphasize the evolving tactics, techniques, and procedures (TTPs) of Salt Typhoon, including the exploitation of zero-day vulnerabilities and outdated infrastructure. The incident underscores the challenges of defending public-facing appliances and the importance of robust network visibility and proactive threat detection. Organizations in telecommunications and other critical sectors are urged to strengthen their defenses against state-sponsored threats by improving monitoring, patch management, and incident response capabilities.
Mar 21, 2026
Salt Typhoon Intrusion Attempt on European Telecommunications Provider via Citrix NetScaler Exploit
Salt Typhoon, a Chinese state-linked advanced persistent threat (APT) group, attempted to infiltrate a European telecommunications organization by exploiting a vulnerability in a Citrix NetScaler Gateway appliance. The attack was first detected by Darktrace in July 2025, when threat activity consistent with Salt Typhoon’s known tactics, techniques, and procedures (TTPs) was observed. The group, also known as Earth Estries, GhostEmperor, and UNC2286, has a history of targeting telecoms and digital infrastructure globally, with previous campaigns against U.S. telecoms and ongoing interest in European targets. Initial access was achieved through the exploitation of the Citrix NetScaler Gateway, a method frequently used by Salt Typhoon to compromise network equipment. After breaching the gateway, the attackers moved laterally within the organization, targeting Citrix Virtual Delivery Agent hosts in the Machine Creation Services (MCS) subnet. The group deployed the SNAPPYBEE (also known as Deed RAT) backdoor, a tool commonly shared among Chinese APT groups, to establish command and control (C2) within the compromised environment. The C2 infrastructure utilized LightNode VPS endpoints and communicated over both HTTP and an unidentified TCP-based protocol, demonstrating the group’s use of non-standard and layered protocols to evade detection. To maintain stealth and persistence, Salt Typhoon employed DLL sideloading techniques, delivering malicious DLLs alongside legitimate antivirus executables such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This allowed the attackers to execute their payloads under the guise of trusted software, bypassing traditional security controls. The group’s tactics included abusing legitimate software for stealth and execution, a hallmark of their operations. Darktrace analysts noted that the pattern of activity closely matched Salt Typhoon’s previous campaigns, reinforcing attribution to the group. The intrusion was detected before the attackers could achieve deeper compromise or exfiltrate sensitive data, highlighting the importance of proactive threat detection. The incident underscores the persistent threat posed by Chinese cyberespionage actors to the telecommunications sector, particularly through the exploitation of known vulnerabilities in widely used network appliances. The Five Eyes intelligence alliance and other international partners have previously warned about Salt Typhoon’s global targeting of communications infrastructure. The group’s operations are believed to be conducted by private hacking firms contracted by Chinese government agencies, as revealed by earlier data leaks. The attempted breach demonstrates the evolving sophistication of state-sponsored cyber operations and the need for robust security measures in critical infrastructure sectors. The use of advanced lateral movement, stealthy persistence mechanisms, and shared malware tools reflects the group’s technical capabilities. The incident also highlights the value of threat intelligence sharing and rapid response in mitigating nation-state cyber threats. Ongoing monitoring and patching of network equipment vulnerabilities remain essential defenses against such targeted attacks. The European telecom’s timely detection and response prevented further escalation and potential operational impact. This event adds to the growing body of evidence regarding Salt Typhoon’s focus on global telecommunications espionage.
Mar 21, 2026