{ "id": "70f187c1-2f98-446e-8e48-88774f3e1a3d", "created_at": "2026-04-06T00:09:45.61893Z", "updated_at": "2026-04-10T03:35:43.411006Z", "deleted_at": null, "sha1_hash": "32c03959c1583fa2ab7a148c1040c1ee0467ec70", "title": "Who is SALTY SPIDER (Sality)?| Threat Actor Profile | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58865, "plain_text": "Who is SALTY SPIDER (Sality)?| Threat Actor Profile |\r\nCrowdStrike\r\nBy AdamM\r\nArchived: 2026-04-05 18:28:51 UTC\r\nCommon Aliases\r\nSALTY SIDER is most commonly identified with the botnet it maintains (Sality) and it’s associated pseudonyms:\r\nKuKu\r\nSalLoad\r\nKookoo\r\nSaliCode\r\nKukacka\r\nSALTY SPIDER’s Origins\r\nSALTY SPIDER is an eCrime group whose actions likely indicate that it’s operating out of Russia –\r\nspecifically in the Republic of Bashkortostan, a region close to the Kazakhstan border. This adversary has been\r\nlinked to a botnet known as Sality, which is a polymorphic file infector first discovered in 2003. Since 2008, the\r\ninitial botnet has been superseded by at least three more advanced peer-to-peer (P2P) versions. Beginning in the\r\nSummer of 2017, the botnet’s population grew significantly when it began exploiting the ETERNALBLUE\r\nvulnerability. Today, the latest versions of Sality are still both prevalent and formidable.\r\nSALTY SPIDER’s Targets\r\nThe pervasiveness of Salty Spider’s attacks has resulted in a long list of victims across the globe. While it seems,\r\nfor the most part, that this adversary doesn’t single out particular nations and industries, there do appear to be\r\na few pockets where SALTY SPIDER may be more prevalent.\r\nTarget Nations\r\nGenerally, SALTY SPIDER does not appear to be selective when it comes to the nations it targets — the group’s\r\nactivities have been observed worldwide. However, CrowdStrike has observed higher volumes of Sality v3\r\ninfections in Romania and high volumes of v4 activity in Venezuela. The reasoning for these higher pockets of\r\nactivity in Romania and Venezuela remains unknown.\r\nTarget Industries\r\nIn 2017, SALTY SPIDER ceased propagation of traditional proxy and spambot payloads, and shifted its sights\r\ntowards the mining and theft of cryptocurrencies. This shift is likely an indicator that the cryptocurrency\r\nhttps://www.crowdstrike.com/blog/who-is-salty-spider/\r\nPage 1 of 2\n\nindustry has proven to be a more lucrative area for monetizing Sality.\r\nSALTY SPIDER’s Methods\r\nThe main goal of the Sality P2P botnet is quite straightforward — infect the machine and propagate secondary\r\npayloads. This allows Sality malware to forgo extensive built-in functionality. In fact, the malware is only known\r\nto maintain the infection and manage the connection between the machine and the botnet. Once a machine has\r\nbeen compromised by the polymorphic file infector, which adds the malware through legitimate executables,\r\noperators can then instruct the device to download and execute payloads. Due to SALTY SPIDER’s affinity for\r\ncryptocurrencies, these payloads have been observed querying the machine’s clipboard for strings matching\r\nBitcoin or Ethereum addresses. Matching strings are then replaced with the actor’s own Bitcoin or Ethereum\r\naddress.\r\nOther Known “SPIDERS”\r\nSALTY SPIDER is just one of many eCrime adversaries tracked by CrowdStrike Intelligence. Some of other\r\ncyber criminal groups that CrowdStrike monitors include the following:\r\nCOBALT SPIDER\r\nDUNGEON SPIDER\r\nMUMMY SPIDER\r\nWICKED SPIDER\r\nCurious about other eCrime, hacktivist or nation-state adversaries? Visit our threat actor center to learn about\r\nthe new adversaries that the CrowdStrike team discovers.\r\nLearn More About the Cyber Threat Landscape\r\nWant more insights on the latest adversary tactics, techniques, and procedures (TTPs)? Download the\r\nCrowdStrike® 2019 Global Threat Report: Adversary Tradecraft and The Importance of Speed: Download:\r\nCrowdStrike 2020 Global Threat Report. To learn more about how to incorporate intelligence on threat actors\r\nlike SALTY SPIDER into your security strategy, please visit the Falcon Threat Intelligence page.\r\nAdditional Resources\r\nRead the report on CrowdStrike Falcon® Intelligence Automated Threat Intelligence to learn what\r\ncontextualized, actionable threat intelligence can add to your security effectiveness.\r\nLearn more about comprehensive endpoint protection with the CrowdStrike Falcon®® platform by visiting\r\nthe product page.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/who-is-salty-spider/\r\nhttps://www.crowdstrike.com/blog/who-is-salty-spider/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.crowdstrike.com/blog/who-is-salty-spider/" ], "report_names": [ "who-is-salty-spider" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e", "created_at": "2022-10-25T16:07:24.55351Z", "updated_at": "2026-04-10T02:00:05.031489Z", "deleted_at": null, "main_name": "Salty Spider", "aliases": [], "source_name": "ETDA:Salty Spider", "tools": [ "Kookoo", "Kukacka", "Kuku", "SalLoad", "SaliCode", "Sality" ], "source_id": "ETDA", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94", "created_at": "2023-01-06T13:46:38.904178Z", "updated_at": "2026-04-10T02:00:03.14055Z", "deleted_at": null, "main_name": "SALTY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SALTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "aa8d7ec6-128a-41b9-8cdc-01ad8843020f", "created_at": "2022-10-25T16:07:24.485077Z", "updated_at": "2026-04-10T02:00:05.005858Z", "deleted_at": null, "main_name": "Dungeon Spider", "aliases": [], "source_name": "ETDA:Dungeon Spider", "tools": [ "Locky" ], "source_id": "ETDA", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null }, { "id": "6898c5bc-48af-4e38-917b-f9f0a41d0ee2", "created_at": "2023-01-06T13:46:39.00984Z", "updated_at": "2026-04-10T02:00:03.179681Z", "deleted_at": null, "main_name": "DUNGEON SPIDER", "aliases": [], "source_name": "MISPGALAXY:DUNGEON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32c03959c1583fa2ab7a148c1040c1ee0467ec70.pdf", "text": "https://archive.orkl.eu/32c03959c1583fa2ab7a148c1040c1ee0467ec70.txt", "img": "https://archive.orkl.eu/32c03959c1583fa2ab7a148c1040c1ee0467ec70.jpg" } }