The Chinese threat actor known as Salt Typhoon has been spying on some high-value government and telecommunications organizations for several years now, recently debuting fresh backdoor malware, dubbed GhostSpider.
Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) is among the People’s Republic’s most cutting advanced persistent threats (APT). In a campaign stretching back to 2023, it has compromised more than 20 organizations. Those organizations tend to be of the highest order, from all corners of the globe, and their breaches have in some cases remained undetected for years. Most recently, it’s been known for targeting US telcos, including T-Mobile USA, and ISPs in North America.
Salt Typhoon’s Arsenal of Malware
With access to a targeted network, the APT that Trend Micro calls Earth Estries can deploy any one of its varied and powerful payloads, which it is consistently building out, according to a new analysis from the firm.
There’s Masol RAT — a cross-platform tool it’s used against Linux servers from Southeast Asian governments — and the modular SnappyBee (aka Deed RAT). The newly discovered GhostSpider, meanwhile, is a highly modular backdoor, adjustable for any particular attack scenario, according to Jon Clay, Trend Micro’s vice president of threat intelligence.
