Salt Typhoon (G1045): Persistent PRC State-Backed Espionage Threat
- Suspected Origin
- People's Republic of China (PRC)
- Motivation
- Espionage, Intelligence Collection, Data Exfiltration, Counterintelligence, Pre-positioning for Disruption
- Aliases
- None documented
- Target Sectors
- Telecommunications, Internet Service Providers, Government, Defense, Energy, Transportation, IT, Technology, Consulting, Hospitality, Healthcare
- Associated Malware
- Demodex, JumbledPath, GhostSpider, Masol RAT, SnappyBee, Mimikatz, CobaltStrike, Powercat
Overview
Salt Typhoon, tracked by MITRE as G1045, is a formidable advanced persistent threat (APT) group with confirmed ties to the People’s Republic of China (PRC) and specifically, its Ministry of State Security (MSS). This actor has been active since at least 2019, primarily engaging in sophisticated cyber espionage campaigns aimed at long-term intelligence collection and strategic pre-positioning within critical infrastructure. Unlike many espionage groups that conduct smash-and-grab operations, Salt Typhoon emphasizes persistence, often embedding themselves within target networks for months or even years without detection.
The group’s motivation extends beyond mere data theft; it includes extensive signals intelligence acquisition, counterintelligence, and the establishment of access that could be leveraged for disruptive cyber operations during potential geopolitical conflicts, particularly concerning Taiwan. While their initial focus was predominantly on U.S. telecommunications and internet service providers (ISPs), Salt Typhoon has expanded its targeting significantly, compromising over 200 organizations across more than 80 countries. Their victimology now spans government agencies, defense contractors, energy, transportation systems, information technology services, healthcare, and even hospitality sectors, aiming to gather sensitive communications, intellectual property, and critical operational data.
Tactics & Techniques
Salt Typhoon’s operational methodology is characterized by a blend of exploiting known vulnerabilities and extensive “living-off-the-land” (LOTL) techniques to maintain stealth and persistence. Initial access frequently involves exploiting publicly exposed vulnerabilities in network edge devices such as firewalls, VPNs, and routers from vendors like Cisco, Palo Alto Networks, Ivanti, Sophos, and Microsoft Exchange. They have been observed leveraging older CVEs as well as more recent ones, including vulnerabilities in Ivanti Connect Secure, Sophos Firewall, and Cisco IOS XE. In some instances, they have gained entry via weakly configured remote access services or by pivoting from compromised third-party contractor systems.
Once inside, Salt Typhoon demonstrates a high level of sophistication in privilege escalation and lateral movement. They commonly harvest credentials, sometimes even from packet captures of authentication traffic like TACACS+, and use compromised passwords to move within networks. For persistence, they deploy custom web shells and leverage legitimate system tools and built-in network utilities, including PowerShell, Windows Management Instrumentation (WMI), BITSAdmin, CertUtil, and registry manipulation. The group is adept at modifying access-control lists (ACLs), exposing services like SSH, RDP, or FTP on non-standard ports, and creating tunnels using protocols such as Generic Routing Encapsulation (GRE) or IPsec directly on network devices to facilitate remote access and data exfiltration. Their defense evasion tactics include encrypting traffic, clearing logs, and employing anti-forensic and anti-analysis techniques to conceal their presence.
Notable Campaigns
Salt Typhoon’s activity timeline highlights a strategic and evolving threat. Early operations, dating back to 2019, primarily focused on infiltrating global telecommunications providers. A significant turning point came in 2023, when investigators linked intrusions at global telecom providers back to Chinese infrastructure.
In 2023, the group was also implicated in an incident where stolen signing keys were used to forge authentication tokens, leading to unauthorized access to U.S. government email accounts. The years 2023-2024 saw concentrated campaigns against telecommunications sectors, with major U.S. carriers such as AT&T, Verizon, T-Mobile, Lumen Technologies, Charter Communications, Consolidated Communications, and Windstream falling victim. These breaches reportedly compromised extensive call records and metadata, affecting millions of individuals, and in some cases, private communications of high-profile government or political figures, including those involved in the Trump and Harris presidential campaigns.
Concurrently, Salt Typhoon exploited a critical flaw in Cisco’s IOS XE software in 2024, deploying malicious code into network devices and establishing GRE tunnels for data exfiltration, impacting providers in several countries, including Canada. The group’s reach expanded further in 2024 with a notable breach of an unnamed U.S. state’s Army National Guard network, where they gained control of privileged accounts, administrator credentials, and critical network diagrams. In December 2025, intrusions attributed to Salt Typhoon were detected in several United States House of Representatives committees. By mid-2025, their scope broadened to include space-based networks, with Viasat being named as a victim. Most recently, in April 2026, Salt Typhoon was suspected in a breach of an IBM Italy subsidiary, affecting IT infrastructure for Italian public and private organizations. A joint cybersecurity advisory from 13 countries in September 2025 revealed the group had compromised hundreds of organizations across more than 80 countries.
Associated Malware & Tools
Salt Typhoon leverages a diverse and evolving arsenal of malware and tools to achieve its objectives. Among their custom developments is a Windows kernel-mode rootkit known as Demodex, which provides them with deep, remote control over targeted servers and employs anti-forensic techniques. They have also used a custom backdoor utility called JumbledPath, designed to monitor network traffic and capture sensitive data at critical network junctions.
More recently, Salt Typhoon has incorporated the sophisticated GhostSpider backdoor into its campaigns. GhostSpider is highly modular, operates entirely in memory, and uses encrypted communications with command-and-control (C2) servers, making it particularly difficult to detect and analyze. This backdoor is adaptable to various attack scenarios, allowing the deployment of specific modules for different espionage objectives. Other identified malware and tools include Masol RAT, a cross-platform remote access Trojan used against Linux servers, and SnappyBee (also known as Deed RAT). Beyond their custom toolset, Salt Typhoon is also known to utilize commercially available and legitimate tools for post-exploitation activities, such as Mimikatz, CobaltStrike, and Powercat, often in conjunction with LOTL binaries like PsExec and SMB for lateral movement.
Current Status
Salt Typhoon remains an exceptionally active and ongoing threat. The FBI confirmed in February 2026 that the threats posed by Salt Typhoon are “still very much ongoing” and continue to impact both U.S. private and public sectors globally. Intelligence assessments indicate that the group will likely broaden its focus and deepen its footholds in U.S. networks, extending attacks to other critical infrastructure sectors and developing more advanced malware and zero-day exploits. Recent observations in early July 2026 confirm a resurgence in the use of the GhostSpider backdoor in their ongoing campaigns. This sustained activity and the group’s demonstrated capabilities underscore its classification as a critical, long-term adversary for organizations worldwide.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call