The Anthropology of Salt Typhoon:
Deconstructing a Premier Chinese State-Sponsored Espionage Actor

Salt Typhoon is a highly sophisticated and persistent cyber espionage group conclusively attributed to China's Ministry of State Security (MSS). Operating under various aliases — including Earth Estrie and Ghost Emperor — the group executes long-term, stealth-oriented campaigns aligned with the strategic objectives of the Chinese state. Its primary mission is not financial gain or disruptive sabotage but sustained intelligence gathering, focusing on critical infrastructure, government entities, and technology sectors globally.

Salt Typhoon's methodology is characterized by a pragmatic and patient approach. The group overwhelmingly favors exploiting known, unpatched vulnerabilities in public-facing infrastructure and employs an extensive repertoire of "Living off the Land" (LotL) techniques. By using legitimate system tools like PowerShell and WMI, they blend seamlessly with normal administrative activity, allowing them to maintain a low-and-slow presence and evade detection for months or even years. This is augmented by a custom arsenal of advanced malware, including the Demodex kernel-mode rootkit and the GhostSpider backdoor, deployed for stealth, persistence, and data exfiltration in high-value environments.

Countering a state-sponsored adversary of this caliber requires a fundamental shift away from reactive, signature-based security models. An effective defense must be proactive, intelligence-led, and founded on the principle of "assume breach." Mjolnir Security delivers a suite of integrated services designed specifically to address this type of advanced, persistent threat.

Part I: Attribution & Geopolitical Mandate

1.1 Attribution to China's Ministry of State Security (MSS)

There is a broad consensus within the global intelligence and cybersecurity communities that Salt Typhoon operates as an operational arm of the People's Republic of China's (PRC) Ministry of State Security (MSS). The MSS is China's primary civilian intelligence, security, and secret police agency, responsible for both foreign intelligence and domestic counter-intelligence.

The group's campaigns are characterized by a focus on targets that align directly with the known intelligence requirements of the Chinese state: military technology, sensitive intellectual property, political intelligence on foreign adversaries, and deep access into global critical infrastructure. Unlike financially motivated cybercrime syndicates, Salt Typhoon's activities do not involve ransomware or overt extortion; their currency is information and strategic access.

Official actions by the U.S. government have solidified this attribution. The FBI and CISA have issued joint advisories confirming the group's campaigns against U.S. infrastructure. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned entities, such as Sichuan Juxinhe Network Technology Co., LTD., for direct involvement with Salt Typhoon's operations. As is standard diplomatic practice, the Chinese government has denied all allegations.

The "Typhoon" Constellation: A Family of Threats

Salt Typhoon does not operate in a vacuum. It is one of several major PRC-linked threat actors designated with the "Typhoon" suffix, each appearing to have a distinct yet complementary mission set. Understanding Salt Typhoon's role requires seeing it as part of a larger, coordinated national cyber strategy.

A Threat Actor of Many Names

The challenge of tracking this adversary is compounded by the variety of names used by different cybersecurity vendors:

The Anthropology of a State Espionage Group

2.1 Organizational Structure: A Division of Labor

Evidence strongly indicates that Salt Typhoon is not a monolithic entity but a well-organized collective with a clear division of labor. Trend Micro's analysis suggests that attacks targeting different regions and industries are launched by distinct teams, and that the command-and-control (C2) infrastructure is managed by separate, specialized units.

This compartmentalized and specialized structure provides several strategic advantages: simultaneous execution of multiple complex campaigns globally, deep subject-matter expertise within teams, and enhanced operational security — the disruption of one team is less likely to compromise the entire organization. This is not indicative of a loose collective but of a professional, state-directed enterprise with formal organizational planning.

2.2 Operational Philosophy: The Primacy of Stealth and Persistence

The core cultural tenet of Salt Typhoon is the prioritization of stealth and persistence above all else. Their primary objective is to establish and maintain long-term, undetected access to target networks for continuous intelligence gathering. This philosophy is evident in their exceptionally long dwell times, with campaigns often remaining active for one to two years, or even longer, before discovery.

This focus on stealth manifests directly in their TTPs: meticulously covering tracks, employing anti-forensic techniques such as disabling or clearing system logs, and preferring "Living off the Land" techniques to hide in the noise of normal network administration. This patient, low-and-slow approach is the behavioral signature of an espionage agency, not a smash-and-grab cybercriminal.

2.3 A Pragmatic and Resourceful Arsenal

Salt Typhoon's approach to tooling reflects a culture of professional pragmatism. The organization invests significant resources in developing highly sophisticated, bespoke malware when the mission demands it — the Demodex kernel-mode rootkit, for example, is a complex piece of software designed to provide the highest level of stealth. At the same time, they leverage the broader cybercrime ecosystem, using shared backdoors like SnappyBee and potentially utilizing Malware-as-a-Service (MaaS) platforms. This blended arsenal is the hallmark of a mature, well-funded, and operationally efficient intelligence organization.

A History of High-Stakes Espionage

3.1 Global Victimology

Salt Typhoon's operational history, active since at least 2019, reveals a consistent and strategic pattern of targeting that underscores its mission as a global intelligence-gathering apparatus. While its most high-profile attacks have been against the United States, its operational footprint is truly global with confirmed victims on nearly every continent. Their targeting doctrine focuses on sectors yielding the highest intelligence value:

• Telecommunications and ISPs: The primary target set. Compromising the core infrastructure of companies like Verizon, AT&T, and T-Mobile provides a powerful vantage point for mass surveillance and access to immense volumes of data-in-transit.
• Government Agencies: Direct targeting provides access to sensitive political, policy, and national security information.
• Technology and Cybersecurity Firms: Valuable for theft of intellectual property and for counterintelligence purposes — understanding and potentially subverting the capabilities of those trying to track them.
• Hospitality Sector: A classic intelligence tactic, likely used to monitor the movements, meetings, and communications of high-value foreign government officials and executives traveling abroad.

3.2 Case Study: The 2024 U.S. Telecommunications Breach

The campaign against U.S. telecommunications providers, which began as early as 2022 but was publicly disclosed in late 2024, stands as Salt Typhoon's most audacious and impactful operation to date.

The most alarming aspect was the group's successful infiltration of the systems used to comply with the Communications Assistance for Law Enforcement Act (CALEA). CALEA requires carriers to build capabilities for court-authorized electronic surveillance. By compromising these systems, Salt Typhoon achieved a staggering intelligence victory:

• Metadata access: Phone numbers, IP addresses, and timestamps of millions of calls and text messages, primarily from the Washington D.C. metro area.
• Wiretap content: In some cases, actual audio recordings from legally authorized wiretaps.
• High-value surveillance: Communications of senior U.S. officials and political figures, including staff from the 2024 Kamala Harris presidential campaign and phones associated with Donald Trump and JD Vance.

Senator Mark Warner, Chair of the Senate Intelligence Committee, called it the "worst telecom hack in our nation's history," making prior Russian cyber operations look like "child's play" in comparison. The aftermath has included a multi-agency investigation, a $10 million FBI bounty for information on Salt Typhoon members, Treasury Department sanctions, and a push by the FCC for new mandatory cybersecurity regulations for the telecommunications industry.

Part II: The Salt Typhoon Attack Lifecycle

4.1 Initial Access (TA0001): Exploiting the Seams

Salt Typhoon's primary entry strategy is a pragmatic exploitation of poor cyber hygiene. They consistently target publicly known, and often old, vulnerabilities in internet-facing servers, firewalls, and network appliances. Key vulnerabilities frequently leveraged include:

As a secondary method, the group conducts targeted spear-phishing campaigns designed to trick key individuals into executing malicious payloads.

4.2 Execution & Persistence (TA0002, TA0003): Living off the Land

Once inside a network, Salt Typhoon's core behavioral trait is extensive use of "Living off the Land" (LotL) techniques — abusing legitimate, pre-installed system tools to carry out objectives. This allows malicious activity to blend in with everyday IT operations, making it extremely difficult for traditional EDR and AV solutions to identify.

For persistence, Salt Typhoon employs multiple techniques ranging from modifying Windows Registry run keys to creating hidden Windows Services. For critical targets, they deploy the Demodex rootkit for the ultimate form of stealthy persistence.

4.3 Lateral Movement (TA0008): Spreading Silently

Movement within a compromised network is methodical and detection-averse:

• Credential-Based Attacks: Using Mimikatz to extract credentials, performing Pass-the-Hash (PtH) and NTLM Relay attacks.
• Abuse of Remote Protocols: Leveraging stolen credentials with RDP and SMB to access file shares and move laterally.
• Remote Execution: PowerShell Remoting and WMI used to execute commands on remote systems.

4.4 Defense Evasion (TA0005): The Art of Invisibility

Salt Typhoon dedicates significant effort to evading security controls through multi-layered techniques:

• Hiding Malicious Code: DLL sideloading to trick legitimate applications into loading malicious libraries. GhostSpider operates entirely in-memory to avoid file-based scanning.
• Eliminating Evidence: Disabling or clearing system logs to erase digital breadcrumbs.
• Obfuscating Communications: Encrypted C2 traffic proxied through compromised jump hosts or legitimate cloud services.
• Kernel-Level Stealth: The Demodex rootkit hides malicious files, running processes, registry keys, and network connections from user-mode security tools.

4.5 Command & Control and Exfiltration (TA0011, TA0010)

Salt Typhoon's C2 infrastructure is sophisticated and resilient. Communications are almost always encrypted and designed to blend with legitimate traffic. They frequently use compromised routers or servers as jump hosts or proxies. For exfiltration, data is typically staged — compressed into archives using tools like rar.exe and moved to inconspicuous directories such as C:\Users\Public\Music before transmission.

The Salt Typhoon Arsenal: A Malware Deep Dive

While Salt Typhoon excels at "Living off the Land," it maintains a formidable arsenal of custom and shared malware. These tools are deployed strategically for objectives that cannot be met with standard system utilities.

In-Depth: The Demodex Rootkit

Demodex is arguably Salt Typhoon's most sophisticated tool, reserved for high-value targets requiring long-term, undetected persistence. Its most innovative feature is its loading mechanism. To bypass modern Windows Driver Signature Enforcement, Demodex does not use a stolen code-signing certificate. Instead, it abuses a legitimate, digitally signed third-party driver belonging to the open-source tool "Cheat Engine." The attackers install this benign driver, then exploit its functionality to manipulate kernel memory and manually load the unsigned Demodex rootkit, piggybacking on the legitimate driver's signature. Once loaded, Demodex hooks deep into the OS to hide artifacts from both security software and forensic investigators.

In-Depth: GhostSpider

GhostSpider is a modular, in-memory backdoor designed for espionage. Loaded via DLL hijacking, it leaves a minimal footprint on disk. Its modularity allows attackers to deploy only the specific functions needed for a given target. C2 communications are disguised within standard HTTP traffic, with commands and data hidden inside headers or cookies to blend with legitimate web browsing.

In-Depth: JumbledPath

This tool showcases the group's specific focus on telecommunications infrastructure. JumbledPath is a custom Go-based utility designed for a single purpose: to capture network packets on compromised Cisco devices. Its use of jump hosts — intermediary compromised systems — makes traffic appear to originate from a trusted internal source, complicating network-based detection.

Part III: A Proactive Defense Posture

The tactics, techniques, and procedures employed by Salt Typhoon render traditional, reactive security models fundamentally inadequate. A defense strategy predicated on waiting for alerts from signature-based tools is destined to fail against this adversary.

Building resilience against a state-sponsored adversary like Salt Typhoon requires a paradigm shift. The foundational principle must be "assume breach" — organizations in critical sectors must operate under the assumption that a persistent and sophisticated actor is already present, or will inevitably gain access to, their networks.

This intelligence-led defense model is built on several key pillars:

• Proactive Threat Hunting: Hypothesis-driven searches for anomalous behaviors aligned with known adversary TTPs — unusual PowerShell execution, suspicious WMI activity, unexpected network connections from legitimate system processes.
• Comprehensive DFIR: Rapid and deep investigations to understand the full scope of a compromise, eradicate the adversary's presence including hidden backdoors and rootkits, and restore systems securely.
• Continuous Security Posture Management: Aggressive patch management, strict credential hygiene, robust network segmentation, and hardening of all network devices.
• Zero Trust Architecture: Enforcing strict authentication for every user and device, implementing least privilege, and micro-segmenting the network to restrict lateral movement.

Mjolnir Security's Counter-Espionage Services

Mjolnir Security provides advanced, intelligence-driven services designed to counter the specific threats posed by Salt Typhoon. Our capabilities are directly mapped to the adversary's TTPs:

Conclusion: The Enduring Threat

Salt Typhoon is not a transient problem or a common cybercriminal group. It is the manifestation of a nation-state's strategic will, executed by a professional, well-resourced, and highly disciplined organization. Their focus on long-term espionage, their patient methodology, and their demonstrated ability to compromise the core infrastructure of a global superpower represent a persistent and escalating threat. They are a permanent feature of the modern cyber landscape.

Defending against such an adversary requires a fundamental shift from reactive perimeter defense to a proactive, intelligence-driven strategy of resilience. It demands understanding the adversary's "anthropology" — their culture, motivations, and operational doctrines — to anticipate their movements and counter their techniques. The path to resilience is built on the assumption of a compromised environment, the active hunting of threats within the wire, and an unwavering commitment to security hygiene.