{
	"id": "10d15169-ecb0-4865-a466-cfc38401e5fc",
	"created_at": "2026-04-06T00:17:37.274287Z",
	"updated_at": "2026-04-10T13:11:35.38052Z",
	"deleted_at": null,
	"sha1_hash": "7dea3b5adda7a399317069e9f443ee9f0ff660af",
	"title": "Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 617056,
	"plain_text": "Chinese Hackers Infiltrate U.S. Internet Providers in Cyber\r\nEspionage Campaign\r\nBy The Hacker News\r\nPublished: 2024-09-26 · Archived: 2026-04-05 21:10:20 UTC\r\nNation-state threat actors backed by Beijing broke into a \"handful\" of U.S. internet service providers (ISPs) as part\r\nof a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported\r\nWednesday.\r\nThe activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as\r\nFamousSparrow and GhostEmperor.\r\n\"Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network\r\ncomponents that route much of the traffic on the internet,\" the publication was quoted as saying, citing people\r\nfamiliar with the matter.\r\nThe end goal of the attacks is to gain a persistent foothold within target networks, allowing the threat actors to\r\nharvest sensitive data or launch a damaging cyber attack.\r\nhttps://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html\r\nPage 1 of 2\n\nGhostEmperor first came to light in October 2021, when Russian cybersecurity company Kasperksy detailed a\r\nlong-standing evasive operation targeting Southeast Asian targets in order to deploy a rootkit named Demodex.\r\nTargets of the campaign included high-profile entities in Malaysia, Thailand, Vietnam, and Indonesia, in addition\r\nto outliers located in Egypt, Ethiopia, and Afghanistan.\r\nAs recently as July 2024, Sygnia revealed that an unnamed client was compromised by the threat actor in 2023 to\r\ninfiltrate one of its business partner's networks.\r\n\"During the investigation, several servers, workstations, and users were found to be compromised by a threat actor\r\nwho deployed various tools to communicate with a set of [command-and-control] servers,\" the company said.\r\n\"One of these tools was identified as a variant of Demodex.\"\r\nThe development comes days after the U.S. government said it disrupted a 260,000-device botnet dubbed Raptor\r\nTrain controlled by a different Beijing-linked hacking crew called Flax Typhoon.\r\nIt also represents the latest in a string of Chinese state-sponsored efforts to target telecom, ISPs, and other critical\r\ninfrastructure sectors.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html\r\nhttps://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html"
	],
	"report_names": [
		"chinese-hackers-infiltrate-us-internet.html"
	],
	"threat_actors": [
		{
			"id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6",
			"created_at": "2022-10-25T16:07:23.605611Z",
			"updated_at": "2026-04-10T02:00:04.685162Z",
			"deleted_at": null,
			"main_name": "FamousSparrow",
			"aliases": [
				"Earth Estries"
			],
			"source_name": "ETDA:FamousSparrow",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "09031838-56db-4676-a2b2-4bc50d8b7b0b",
			"created_at": "2024-01-23T13:22:35.078612Z",
			"updated_at": "2026-04-10T02:00:03.519282Z",
			"deleted_at": null,
			"main_name": "Flax Typhoon",
			"aliases": [
				"Ethereal Panda",
				"Storm-0919"
			],
			"source_name": "MISPGALAXY:Flax Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a",
			"created_at": "2023-09-07T02:02:47.367254Z",
			"updated_at": "2026-04-10T02:00:04.698935Z",
			"deleted_at": null,
			"main_name": "Flax Typhoon",
			"aliases": [
				"Ethereal Panda",
				"RedJuliett"
			],
			"source_name": "ETDA:Flax Typhoon",
			"tools": [
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"JuicyPotato",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Metasploit",
				"Mimikatz",
				"SinoChopper",
				"SoftEther VPN"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ea4726a4-3b7c-45db-a579-2abd4986941c",
			"created_at": "2025-11-01T02:04:53.002048Z",
			"updated_at": "2026-04-10T02:00:03.764362Z",
			"deleted_at": null,
			"main_name": "BRONZE FLAXEN",
			"aliases": [
				"Ethereal Panda ",
				"Flax Typhoon "
			],
			"source_name": "Secureworks:BRONZE FLAXEN",
			"tools": [
				"Bad Potato",
				"Juicy Potato",
				"Metasploit",
				"Mimikatz",
				"SoftEther VPN"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434657,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dea3b5adda7a399317069e9f443ee9f0ff660af.pdf",
		"text": "https://archive.orkl.eu/7dea3b5adda7a399317069e9f443ee9f0ff660af.txt",
		"img": "https://archive.orkl.eu/7dea3b5adda7a399317069e9f443ee9f0ff660af.jpg"
	}
}