Salt Typhoon: TTPs, detection, and defense

Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group operated by China’s Ministry of State Security (MSS). Active since at least 2019, the group has executed some of the most consequential cyber espionage campaigns in recent history — compromising U.S. telecommunications providers, government agencies, and critical infrastructure across more than 80 countries. The FBI has called it one of the most significant espionage breaches in U.S. history (FBI, August 2025).

This threat briefing explains who Salt Typhoon is, how they operate across the attack lifecycle, which tools and malware they deploy, and what defenders need to know to detect and contain their activity. It covers the group’s tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK, breaks down the specific living-off-the-land commands they use, and provides guidance on behavioral detection strategies. SOC analysts, threat hunters, security architects, and CISOs will find actionable intelligence for strengthening defenses against Salt Typhoon and similar nation-state APT groups.

What is Salt Typhoon?

Salt Typhoon is an advanced persistent threat group linked to China’s Ministry of State Security, specializing in long-term cyber espionage campaigns against telecommunications providers, government agencies, and critical infrastructure worldwide. The group is also tracked as Earth Estries (Trend Micro), GhostEmperor (Kaspersky), FamousSparrow (ESET), and UNC2286 (Mandiant).

Unlike most espionage actors that infiltrate a network, extract data, and move on, Salt Typhoon emphasizes persistence. The group has been observed maintaining access inside compromised environments for months to years before discovery. In at least one confirmed case, Salt Typhoon maintained access to a telecom network for three years (Cisco, 2025). This dual-purpose posture, intelligence collection combined with the ability to disrupt services during a future crisis — aligns with broader PRC strategic objectives, including preparation for a potential confrontation over Taiwan.

Salt Typhoon’s targeting has evolved significantly since 2020. Early campaigns focused on government agencies, hotels, and technology companies in Southeast Asia and Africa. By 2024, the group had expanded aggressively into U.S. telecommunications infrastructure, compromising at least nine major carriers including AT&T, Verizon, T-Mobile, Lumen, and Charter Communications (Wall Street Journal, 2024). Internationally, victims span telecoms, consulting firms, defense contractors, chemical companies, transportation providers, and non-profit organizations across more than 20 countries (Trend Micro, 2024).

The table below maps Salt Typhoon’s naming conventions across major security vendors. This is useful for threat hunters cross-referencing intelligence reports, since the same campaign may appear under different names depending on the source.

Major Salt Typhoon incidents and expanding scope

Salt Typhoon’s operational scope has expanded dramatically between 2023 and 2026, growing from regional espionage campaigns into one of the most geographically distributed APT operations ever publicly disclosed. The FBI confirmed in August 2025 that the group had compromised more than 200 organizations across 80 countries (FBI, 2025). The timeline below summarizes the key milestones.

‍

Norway confirms compromise. FBI states threats ‘still very much ongoing.’ Singapore confirms all four national telecoms breached. Senator Cantwell demands AT&T/Verizon CEO testimony.

The scope extends well beyond telecommunications. Salt Typhoon has targeted technology companies, consulting firms, chemical manufacturers, defense contractors, transportation providers, and non-profit organizations (Trend Micro, 2024). The group’s operational structure suggests multiple distinct teams responsible for different regions and verticals.

How does Salt Typhoon attack?

Salt Typhoon follows a structured, multi-stage attack sequence that combines exploitation of known vulnerabilities for initial access, deployment of custom malware for persistence, and extensive use of living-off-the-land techniques to move laterally while evading detection. The group’s hallmark is patience: campaigns unfold over months, with attackers deploying additional tools incrementally as operational needs evolve.

Initial access: exploiting public-facing servers

Salt Typhoon primarily gains entry by exploiting known vulnerabilities in public-facing servers, network appliances, and VPN products. Confirmed exploited vulnerabilities include:

• CVE-2023-46805 and CVE-2024-21887: Ivanti Connect Secure authentication bypass and command injection
• CVE-2022-3236: Sophos Firewall code injection
• CVE-2021-26855 (ProxyLogon): Microsoft Exchange SSRF
• CVE-2025-5777: Citrix NetScaler Gateway
• Multiple Cisco IOS XE vulnerabilities targeting edge routers

Execution and persistence: custom malware meets native Windows tools

Once Salt Typhoon achieves remote code execution, the group deploys encrypted PowerShell scripts that install backdoors including the Demodex rootkit, SnappyBee, GhostSpider, HemiGate, Crowdoor, MASOL RAT, and Cobalt Strike beacons. Even at this early stage, built-in Windows tools minimize the forensic footprint:

PowerShell execution bypass:

powershell -ex bypass -c "<decryption_key>"

‍

Registry persistence:

reg add "HKCU\...\CurrentVersion\Run" /v "<n>" /t REG_SZ /d "<path>" /f

Reconnaissance: mapping the domain with built-in tools

Salt Typhoon maps the Active Directory environment using native utilities:

cmd /c "net grupo 'admins dominio' /dominio"

‍

wmic process get name,processid,commandline

Defense evasion: blending into normal operations

Defense evasion is continuous, not a discrete stage. Techniques include living-off-the-land execution, DLL sideloading through legitimate AV software (Norton, Bkav, IObit), PowerShell downgrade attacks, script encryption, log clearing, and kernel-mode rootkits (Demodex).

Credential access and privilege escalation

Credential harvesting uses Mimikatz, SnappyBee, keyloggers, and Kerberos attacks. Privilege escalation relies on Cobalt Strike, rootkits, and vulnerability exploitation within the compromised environment.

Lateral movement: spreading across the network with native tools

Salt Typhoon uses Windows administrative tools to copy and execute payloads across the network:

copy \\<target_ip>\C$\Windows\Temp\payload.bat

‍

wmic /node:<target_ip> process call create "cmd /c ...\payload.bat"

‍

The most notable command combines persistence, lateral movement, privilege escalation, and defense evasion in one operation:

sc \\<target_ip> create VGAuthtools type= own start= auto

‍

binpath= "C:\...\installutil.exe C:\...\malware.exe"

Command and control and data exfiltration

Persistent C2 communication uses Cobalt Strike beacons, Demodex, and dual-channel approaches combining dedicated infrastructure with legitimate services (AnonFiles, File.io, GitHub, Gmail, LightNode VPS).

Ongoing espionage and potential disruption

Salt Typhoon maintains persistent access for continuous intelligence collection and positions for potential service disruption during a geopolitical crisis. In the telecom campaign, this included access to CALEA wiretap systems and surveillance of senior government officials’ communications.

Salt Typhoon TTPs mapped to MITRE ATT&CK

The table below maps Salt Typhoon’s confirmed techniques to MITRE ATT&CK tactics, enabling threat hunters to build detection rules and validate kill chain coverage. Entries reflect TTPs from the September 2025 joint advisory (CISA AA25-239A) and multiple vendor reports.

How does Salt Typhoon compare to Volt Typhoon?

Salt Typhoon and Volt Typhoon are both PRC-affiliated APT groups, but they serve different strategic objectives. Understanding these differences helps defenders prioritize detection strategies.

‍

For defenders, both groups exploit the same detection blind spot: legitimate system tools executing normal-looking commands. Stopping either requires behavioral detection that correlates activity across identity, network, and cloud layers.

Detecting Salt Typhoon-like activity with behavioral AI

Salt Typhoon’s living-off-the-land techniques make it nearly invisible to signature-based detection and endpoint-only monitoring. Detection requires correlating behavioral signals across the full attack surface: network traffic, identity behavior, and cloud activity.

The Vectra AI Platform detects Salt Typhoon-like activity by analyzing how actions unfold across environments, focusing on attacker behavior patterns rather than known indicators. During a Typhoon-style attack, the platform surfaces detections including:

• Unusual remote execution patterns consistent with WMIC and PowerShell-based lateral movement
• Suspicious Kerberos activity indicating credential theft or golden ticket attacks
• Privilege anomalies where accounts suddenly escalate access beyond established baselines
• SMB brute-force attempts and anomalous file sharing across internal segments
•  Hidden tunnels and encrypted channels characteristic of C2 communication
• Anomalous PowerShell and Azure AD activity indicating identity-layer abuse

These signals are correlated by AI agents that automatically triage, prioritize, and visualize the full attack narrative through dynamic attack graphs, so defenders can act before the attack progresses.

How to defend against Salt Typhoon

Defending against Salt Typhoon requires a layered approach addressing exploit-based initial access, living-off-the-land execution, identity abuse, and long-term persistence. These recommendations are informed by the CISA/NSA/FBI joint advisory (AA25-239A) and observed campaign behaviors.

Patch aggressively and prioritize edge devices. Salt Typhoon’s initial access consistently relies on known CVEs in VPN appliances, firewalls, and routers. The FBI emphasized in February 2026 that basic configuration errors provided the entry points.

Deploy network detection and response across the full hybrid environment. EDR agents cannot run on routers and switches that Salt Typhoon targets. NDR provides visibility into lateral movement, identity anomalies, and encrypted C2 channels.

Monitor identity behavior continuously. Watch for anomalous domain admin enumeration, unexpected privilege escalation, unusual Kerberos activity, and service account misuse.

Implement network segmentation and zero trust. Limit lateral movement paths by segmenting critical infrastructure and enforcing least-privilege access.

Hunt proactively using the MITRE ATT&CK mapping above. Look for unusual PowerShell execution, remote service creation, WMIC remote execution, DLL sideloading, and suspicious registry modifications.

Encrypt all communications end to end. The FBI recommended end-to-end encrypted messaging in response to the telecom compromises.