Salt Typhoon, GhostEmperor - Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-05 20:24:23 UTC Home > List all groups > Salt Typhoon, GhostEmperor APT group: Salt Typhoon, GhostEmperor Names Salt Typhoon (Microsoft) GhostEmperor (Kaspersky) UNC2286 (Mandiant) FamousSparrow (ESET) Earth Estries (Trend Micro) RedMike (Recorded Future) Operator Panda (CrowdStrike) Country China Sponsor State-sponsored, Ministry of State Security Motivation Information theft and espionage First seen 2020 Description (Kaspersky) GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020. Observed Sectors: Chemical, Education, Engineering, Government, Hospitality, Technology, Telecommunications, Transportation, NGOs and law firms. Countries: Afghanistan, Argentina, Bangladesh, Brazil, Burkina Faso, Canada, Egypt, Ethiopia, France, Germany, Guatemala, India, Indonesia, Israel, Lithuania, https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f Page 1 of 4 Malaysia, Mexico, Netherlands, Pakistan, Philippines, Saudi Arabia, Singapore, South Africa, Swaziland, Taiwan, Thailand, UK, USA, Vietnam. Tools used certutil, Cobalt Strike, Crowdoor, Cryptmerlin, Deed RAT, Demodex, FuxosDoor, GHOSTSPIDER, HemiGate, MASOL RAT, Mimikatz, nbtscan, NinjaCopy, PsExec, PsList, ProcDump, SparrowDoor, TrillClient, WinRAR, Zingdoor. Operations performed 2020 Earth Estries Targets Government, Tech for Cyberespionage Mar 2021 FamousSparrow: A suspicious hotel guest Late 2023 The Return of Ghost Emperor’s Demodex Mar 2024 Chinese hackers breached National Guard to steal network configurations Jul 2024 Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign Jul 2024 You will always remember this as the day you finally caught FamousSparrow Sep 2024 AT&T, Verizon reportedly hacked to target US govt wiretapping platform Sep 2024 T-Mobile confirms it was hacked in recent wave of telecom breaches Dec 2024 White House links ninth telecom breach to Chinese hackers links-ninth-telecom-breach-to-chinese-hackers/> Dec 2024 Chinese hackers also breached Charter and Windstream networks Dec 2024 RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers Feb 2025 Telecom giant Viasat breached by China's Salt Typhoon hackers Feb 2025 Canada says Salt Typhoon hacked telecom firm via Cisco flaw Counter operations Jan 2025 US sanctions Chinese firm, hacker behind telecom and Treasury hacks Information https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f Page 3 of 4 Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b88e37a4-1fc1-42da-bd72-6ad44758193f Page 4 of 4