Since 2019, Salt Typhoon, a China-linked advanced persistent threat (APT) group, has been conducting sophisticated cyber espionage campaigns targeting critical infrastructure worldwide. Also known as Earth Estries, GhostEmperor, and UNC2286, the group has infiltrated telecommunications providers, energy networks, and government systems across more than 80 countries.
Exploitation of Zero-Day Vulnerabilities
Salt Typhoon has demonstrated a remarkable ability to exploit zero-day vulnerabilities in edge devices, including those from Ivanti, Fortinet, and Cisco. By targeting these unpatched systems, the group gains initial access to networks, allowing them to establish a foothold within the targeted organizations. This method underscores the critical importance of timely patch management and vulnerability assessments in safeguarding network infrastructure.
DLL Sideloading for Stealth and Persistence
To maintain a covert presence within compromised systems, Salt Typhoon employs DLL sideloading techniques. This involves delivering malicious payloads disguised as legitimate Dynamic Link Library (DLL) files, which are then executed by trusted applications. By leveraging legitimate software, the group effectively evades traditional signature-based detection mechanisms, making their activities harder to detect.
Compromise of Lawful Intercept Systems
One of the more alarming aspects of Salt Typhoon’s operations is their ability to compromise lawful intercept systems. These systems are designed for authorized surveillance and monitoring of communications. By infiltrating them, Salt Typhoon can exfiltrate sensitive metadata affecting millions of users, posing significant privacy and security risks.
Blend of Intelligence Collection and Geopolitical Influence
Salt Typhoon’s operations are not limited to intelligence gathering; they also aim to exert geopolitical influence. By targeting critical infrastructure, the group can disrupt services, manipulate data flows, and monitor communications, aligning with strategic objectives that extend beyond mere data collection.
Case Study: European Telecommunications Intrusion
In July 2025, analysts observed early-stage intrusion activity within a European telecommunications organization, consistent with Salt Typhoon’s known tactics. The intrusion began with the exploitation of a Citrix NetScaler Gateway appliance, allowing the attackers to pivot to Citrix Virtual Delivery Agent hosts within the organization’s Machine Creation Services subnet. Initial access was traced back to infrastructure potentially associated with the SoftEther VPN service, indicating deliberate efforts to obfuscate their origins.
Technical Sophistication and Abuse of Legitimate Software
Salt Typhoon’s technical prowess is evident in their systematic abuse of legitimate software for malicious purposes. Researchers observed the delivery of the SNAPPYBEE backdoor, also known as Deed RAT, to multiple internal endpoints as DLL files accompanied by legitimate executable files from trusted antivirus solutions. The group specifically targeted executables from Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter to facilitate DLL sideloading operations. This technique enables the execution of malicious payloads under the guise of trusted security software, effectively bypassing traditional security controls.
Command-and-Control Communications
Once established, the backdoor communicates with command-and-control servers through LightNode VPS endpoints, utilizing both HTTP and an unidentified TCP-based protocol. HTTP communications feature POST requests with distinctive URI patterns, connecting to domains recently linked to Salt Typhoon infrastructure. This method ensures persistent access and control over compromised systems.
Implications for Organizations
The activities of Salt Typhoon highlight the evolving nature of cyber threats and the need for organizations to adopt comprehensive security measures. Regular patching of vulnerabilities, monitoring for unauthorized configuration changes, and implementing robust detection mechanisms are essential steps in mitigating the risks posed by such sophisticated threat actors.
Conclusion
Salt Typhoon’s use of zero-day exploits and DLL sideloading techniques underscores the group’s advanced capabilities and strategic objectives. By compromising critical infrastructure and lawful intercept systems, they pose significant challenges to global cybersecurity. Organizations must remain vigilant and proactive in their defense strategies to counter such persistent and evolving threats.
