{
	"id": "e083ad10-09fd-43d1-8074-b86021727e0f",
	"created_at": "2026-04-06T00:15:50.285109Z",
	"updated_at": "2026-04-10T03:34:28.254138Z",
	"deleted_at": null,
	"sha1_hash": "0d5e3a959a2572f2cf4a23b6a0293347167707c2",
	"title": "Salt Typhoon, GhostEmperor - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93989,
	"plain_text": "Salt Typhoon, GhostEmperor - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 20:24:23 UTC\r\nHome \u003e List all groups \u003e Salt Typhoon, GhostEmperor\r\n APT group: Salt Typhoon, GhostEmperor\r\nNames\r\nSalt Typhoon (Microsoft)\r\nGhostEmperor (Kaspersky)\r\nUNC2286 (Mandiant)\r\nFamousSparrow (ESET)\r\nEarth Estries (Trend Micro)\r\nRedMike (Recorded Future)\r\nOperator Panda (CrowdStrike)\r\nCountry China\r\nSponsor State-sponsored, Ministry of State Security\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription\r\n(Kaspersky) GhostEmperor is a Chinese-speaking threat actor that has mostly\r\nfocused on targets in Southeast Asia, including several government entities and\r\ntelecom companies. The group stands out because it uses a formerly unknown\r\nWindows kernel-mode rootkit. Rootkits provide remote control access over the\r\nservers they target. Acting covertly, rootkits are notorious for hiding from\r\ninvestigators and security solutions. To bypass the Windows Driver Signature\r\nEnforcement mechanism, GhostEmperor uses a loading scheme involving a\r\ncomponent of an open-source project named “Cheat Engine.” This advanced toolset\r\nis unique and Kaspersky researchers see no similarity to already known threat actors.\r\nKaspersky experts have surmised that the toolset has been in use since at least July\r\n2020.\r\nObserved Sectors: Chemical, Education, Engineering, Government, Hospitality, Technology,\r\nTelecommunications, Transportation, NGOs and law firms.\r\nCountries: Afghanistan, Argentina, Bangladesh, Brazil, Burkina Faso, Canada,\r\nEgypt, Ethiopia, France, Germany, Guatemala, India, Indonesia, Israel, Lithuania,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f\r\nPage 1 of 4\n\nMalaysia, Mexico, Netherlands, Pakistan, Philippines, Saudi Arabia, Singapore,\nSouth Africa, Swaziland, Taiwan, Thailand, UK, USA, Vietnam.\nTools used\ncertutil, Cobalt Strike, Crowdoor, Cryptmerlin, Deed RAT, Demodex, FuxosDoor,\nGHOSTSPIDER, HemiGate, MASOL RAT, Mimikatz, nbtscan, NinjaCopy, PsExec,\nPsList, ProcDump, SparrowDoor, TrillClient, WinRAR, Zingdoor.\nOperations performed\n2020\nEarth Estries Targets Government, Tech for Cyberespionage\nMar 2021\nFamousSparrow: A suspicious hotel guest\nLate 2023\nThe Return of Ghost Emperor’s Demodex\nMar 2024\nChinese hackers breached National Guard to steal network\nconfigurations\nJul 2024\nChinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage\nCampaign\nJul 2024\nYou will always remember this as the day you finally caught\nFamousSparrow\nSep 2024\nAT\u0026T, Verizon reportedly hacked to target US govt wiretapping\nplatform\nSep 2024\nT-Mobile confirms it was hacked in recent wave of telecom breaches\nDec 2024 White House links ninth telecom breach to Chinese hackers\n\nlinks-ninth-telecom-breach-to-chinese-hackers/\u003e\nDec 2024\nChinese hackers also breached Charter and Windstream networks\nDec 2024\nRedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global\nTelecommunications Providers\nFeb 2025\nTelecom giant Viasat breached by China's Salt Typhoon hackers\nFeb 2025\nCanada says Salt Typhoon hacked telecom firm via Cisco flaw\nCounter operations Jan 2025\nUS sanctions Chinese firm, hacker behind telecom and Treasury hacks\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f\nPage 3 of 4\n\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f"
	],
	"report_names": [
		"showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f"
	],
	"threat_actors": [
		{
			"id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6",
			"created_at": "2022-10-25T16:07:23.605611Z",
			"updated_at": "2026-04-10T02:00:04.685162Z",
			"deleted_at": null,
			"main_name": "FamousSparrow",
			"aliases": [
				"Earth Estries"
			],
			"source_name": "ETDA:FamousSparrow",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633",
			"created_at": "2023-11-04T02:00:07.676869Z",
			"updated_at": "2026-04-10T02:00:03.389898Z",
			"deleted_at": null,
			"main_name": "Earth Estries",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Estries",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434550,
	"ts_updated_at": 1775792068,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d5e3a959a2572f2cf4a23b6a0293347167707c2.pdf",
		"text": "https://archive.orkl.eu/0d5e3a959a2572f2cf4a23b6a0293347167707c2.txt",
		"img": "https://archive.orkl.eu/0d5e3a959a2572f2cf4a23b6a0293347167707c2.jpg"
	}
}