{ "id": "13eca48a-2780-4437-851b-b648d997b2b2", "created_at": "2026-04-06T00:15:58.767338Z", "updated_at": "2026-04-10T03:34:44.538601Z", "deleted_at": null, "sha1_hash": "86f7df69edbfa116604f92728d37c435cefefc12", "title": "Will the Real Salt Typhoon Please Stand Up?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185574, "plain_text": "Will the Real Salt Typhoon Please Stand Up?\r\nPublished: 2025-07-23 · Archived: 2026-04-05 13:48:32 UTC\r\nOn 17 July 2025, Bloomberg (no stranger to interesting information security reporting) issued a gated report on a\r\nnon–public Recorded Future item related to Salt Typhoon activity. As previously noted in this space, Salt Typhoon\r\noperations are both incredibly significant given their targeting and scope, while also poorly understood and\r\ndocumented given the paucity of detailed public information on their operations. The Recorded Future report (or\r\nat least subsequent Bloomberg reporting on this report) would therefore appear to provide opportunities to\r\nimprove our understanding of this threat actor.\r\nUnfortunately, this is not the case. Admitting that the source report from Recorded Future is inaccessible therefore\r\nall following judgments are based on the Bloomberg exegesis, what actually emerges in public reporting is\r\ndisconcerting with respect to People’s Republic of China (PRC) cyber operations at large. The core argument\r\nstems from the second paragraph of the report:\r\nYet the following paragraph in the Bloomberg article immediately shows there is far more going on here than\r\ncompromise of telecommunication company (telco) backbone equipment:\r\nThe limitations of this are already obvious to readers, but despite the statement that the equipment in question is\r\nnot telco-operated, backbone gear, the following conclusion is offered:\r\nhttps://pylos.co/2025/07/23/will-the-real-salt-typhoon-please-stand-up/\r\nPage 1 of 3\n\nWhat is observed in this example is conflation between “victims in themselves” and “victims as a means to an\r\nend.” Essentially, higher-end threat actors will compromise opportunistic, seemingly random endpoints wherever\r\nthey can be found to build out proxy networks of hosts to channel and obfuscate subsequent operations.\r\nCompromising a telco end-user fits perfectly into this construct, and aligns with operations ranging from the KV\r\nBotnet to Flax Typhoon operations to Cyclops Blink.\r\nThis “means to an end” construct is demonstrated clearly in a following section, noting that service provider\r\nclients, and not the service provider itself, were compromised through this operation:\r\nSalt Typhoon is a deeply concerning adversary that has demonstrated the willingness and ability to breach core\r\nnetwork assets in major telco organizations for information and intelligence gathering. Yet this research appears to\r\nbe linking Salt Typhoon to compromises of telco “end users” – the sort of small office and home office (SOHO)\r\nequipment frequently roped into botnets due to vulnerabilities and end-of-life circumstances. Previous, available\r\nreporting on Salt Typhoon has not noted the group targeting such equipment, at least not consistently nor at scale,\r\nleading to questions as to what is going on in the relevant analysis.\r\nNotably, many other PRC entities very much engage in compromising SOHO devices. From the various botnet\r\nentities used by Volt Typhoon (such as the KV Botnet) to Flax Typhoon, PRC-linked threat actors (among other\r\nentities) have migrated much of their initial access and command and control infrastructure to proxy networks of\r\ncompromised devices (sometimes referred to as “operational relay box” networks). These can include equipment\r\nsuch as various internet of things (IoT) devices to SOHO networking appliances, but in nearly all cases devices\r\nthat reside within the networks of larger telco organizations. Thus, if one were to research a Volt Typhoon firing\r\nnode or a Flax Typhoon redirect box, autonomous system number (ASN) or network owner information would\r\nreflect that the entity involved was a Comcast, MTN, or similar organization.\r\nThe links to Salt Typhoon from this activity are thus—absent additional evidence—extremely flimsy given the\r\nmuch broader use of intermediate appliance or device compromise among many threat actors. Additionally, given\r\nSalt Typhoon’s noted direction in compromising service provider backbone infrastructure to facilitate intelligence\r\nhttps://pylos.co/2025/07/23/will-the-real-salt-typhoon-please-stand-up/\r\nPage 2 of 3\n\ncollection, it is extremely unclear how compromising Bob \u0026 Jane’s Florist Netgear device would allow for any\r\nfacilitation of subsequent targeting of the hosting ISP.\r\nQuite simply: PRC-linked cyber actors are very definitely and aggressively targeting internet-connected\r\nequipment, SOHO, enterprise, or other, for exploitation. However, this specific exploitation almost certainly\r\npertains to the creation of proxy networks for exploitation and subsequent command and control, and there\r\nremains no known instance of using such exploitation to “swim upstream” into the hosting telco’s environment.\r\nThe activity identified may certainly be associated with eventual Salt Typhoon operations, where such nodes are\r\nused to obfuscate network connections between operators and victims. But to think such activity reflects on the\r\nimmediate risk to the hosting entities reveals a substantial lack of understanding of telco network segmentation\r\nand operations.\r\nWhat has likely been identified in this case is not “Salt Typhoon targeting telcos” but rather Salt Typhoon (or other\r\nentities) building (or rebuilding) proxy networks to facilitate follow-on operations. This is NOT a trivial point in\r\nthe slightest as identifying and, potentially, mitigating such proxy networks is a future, necessary step in getting\r\nahead of emerging cyber intrusion activity. However, to draw a definitive line from “a potential Salt Typhoon\r\noperator compromised a SOHO router within Verizon ISP space indicates targeting of Verizon” is suboptimal, to\r\nsay the least.\r\nFor the activity of specific interest then, what we are likely seeing is a PRC-linked entity (not necessarily Salt\r\nTyphoon) rebuild or reconstitute a proxy network of devices to be used or sold off for other operations. But to\r\nmake a conclusion that such activity represents direct targeting of the hosting network is both unsupported by\r\navailable evidence and ignores the actual architecture of ISP networks.\r\nNonetheless, the activity in question is concerning, but must be placed in the appropriate context for it to matter.\r\nInstead of harping on telco insecurity and vulnerability, the proper response to this activity is highlighting the very\r\nreal risk entailed by the deployment and lack of maintenance of consumer equipment for internet connectivity.\r\nSuch devices have been marshalled into proxy networks to obfuscate adversary actions for many years, and\r\nacknowledging this vulnerability is critical to ensuring the security of many organizations at risk of state (or even\r\ncriminal) exploitation.\r\nSource: https://pylos.co/2025/07/23/will-the-real-salt-typhoon-please-stand-up/\r\nhttps://pylos.co/2025/07/23/will-the-real-salt-typhoon-please-stand-up/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://pylos.co/2025/07/23/will-the-real-salt-typhoon-please-stand-up/" ], "report_names": [ "will-the-real-salt-typhoon-please-stand-up" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434558, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/86f7df69edbfa116604f92728d37c435cefefc12.pdf", "text": "https://archive.orkl.eu/86f7df69edbfa116604f92728d37c435cefefc12.txt", "img": "https://archive.orkl.eu/86f7df69edbfa116604f92728d37c435cefefc12.jpg" } }