🇨🇳Salt Typhoon
🇨🇳 Salt Typhoon is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 26 detection use cases to this actor across 51 MITRE ATT&CK techniques, with 4 threat-intel articles citing them. Active in our corpus from 2025-11-06 to 2026-05-28.
crit 4
26Use cases
4Articles
51Techniques
1IOCs
Known aliases
Salt TyphoonGhostEmperorFamousSparrowEarth Estries
Top techniques
All other tracked techniques
T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1021.004 · SSHT1027 · Obfuscated Files or InformationT1036.005 · Match Legitimate Resource Name or LocationT1040 · Network SniffingT1048.003 · Exfiltration Over Unencrypted Non-C2 ProtocolT1055.012 · Process HollowingT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.004 · DNST1095 · Non-Application Layer ProtocolT1098.004 · SSH Authorized KeysT1102.002 · Bidirectional CommunicationT1105 · Ingress Tool TransferT1110.002 · Password CrackingT1136 · Create AccountT1195.002 · Compromise Software Supply ChainT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.004 · Malicious Copy and PasteT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1486 · Data Encrypted for ImpactT1539 · Steal Web Session CookieT1546.016 · Installer PackagesT1547.001 · Registry Run Keys / Startup FolderT1555.003 · Credentials from Web BrowsersT1560 · Archive Collected DataT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1567 · Exfiltration Over Web ServiceT1567.002 · Exfiltration to Cloud StorageT1568.002 · Domain Generation AlgorithmsT1569.002 · Service ExecutionT1572 · Protocol TunnelingT1574.002 · T1574.002T1587.001 · MalwareT1588.002 · ToolT1590.004 · Network TopologyT1602.002 · Network Device Configuration DumpT1685.006 · Clear Linux or Mac System LogsT1686 · Disable or Modify System Firewall
Detection use cases (26)
Salt Typhoon (Earth Estries) GhostSpider/SnappyBee DLL sideloading via signed Notepad++/MSDTC/.NET hosts with external TLS C2 Salt Typhoon LSASS credential extraction + packet-capture deployment on telecom / network-engineering hosts (lawful-intercept targeting) Trojanized axios npm package postinstall: node.exe spawned from plain-crypto-js dependency axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging axios RAT C2 callout to sfrclak.com / 142.11.206.73:8000 Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Ransomware-style mass file rename / extension change LSASS process access / dump (credential theft) Remote service execution — PsExec / SMB lateral movement Trusted vendor binary / installer launching unusual children Non-browser process posting to Slack Web API (LaxGopher C2) Non-browser process posting to Discord API (RatGopher C2) Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) Authentication not detected on admin API endpoint AWS S3 bucket ACL / policy made public DNS tunneling / TXT-heavy domain queries Excessive resource consumption of third-party API GitHub personal access token created GitHub SSH key added from suspicious IP GitLab personal access token generated JWT authentication bypass attempt Local File Inclusion (LFI) exploitedThreat-intel articles (4)
crit ESET APT Activity Report Q4 2025–Q1 2026 · 2026-05-28
crit GopherWhisper: A burrow full of malware · 2026-04-23
crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06
Tracked indicators
IP addresses (1)
43.231.113.50CVEs (2)
CVE-2024-42009 CVE-2025-8088