🇨🇳 Salt Typhoon

Threat-actor battle card · maintained from public sources · last updated 2026-06-22 · also known as RedMike, OPERATOR PANDA, GhostEmperor, UNC5807

CategoryNation-state APT (espionage)

AttributionChina (PRC MSS / PLA-linked contractors)

First seenAt least 2021

StatusActive

Primary targetsTelecommunications, Government, Transportation, Lodging, Military

Overview

Salt Typhoon is a PRC state-sponsored espionage actor operating globally since at least 2021, subject of joint advisory AA25-239A (Aug 2025). It is linked to Chinese contractors (e.g. Sichuan Juxinhe Network Technology) that service the PLA and Ministry of State Security. By August 2025 the FBI confirmed it had compromised 200+ organisations across 80 countries, with 2026 activity expanding into South American telecom carriers (new implants TernDoor, PeerTime, BruteEntry).

Tradecraft

• Exploits vulnerabilities in telecom backbone routers — provider-edge and customer-edge devices that lack monitoring visibility.
• Modifies router firmware and configurations for persistent, stealthy, long-term access.
• Objective: tap communications and movement data of intelligence targets via ISP/telecom and travel-sector intrusions.

Notable activity

• Compromise of major telecom/ISP networks worldwide; expansion to South American carriers (2026).

Assessment

A strategic counter-intelligence threat rather than a smash-and-grab. Defense centres on edge-router firmware integrity, configuration monitoring, and end-of-life device replacement. Not victim-enumerated — tracked qualitatively on the APT watchlist.

Sources

• CISA — Countering Chinese State-Sponsored Actors (AA25-239A)
• Vectra AI — Salt Typhoon: TTPs, detection, defense
• Huntress — Salt Typhoon Threat Actor Profile

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

No attacks recorded yet.

---

← All threat actors · Full victim database →