{ "id": "6d20ba54-2e90-4862-bf3f-6fa6f3bf9077", "created_at": "2026-04-06T00:12:53.845996Z", "updated_at": "2026-04-10T13:11:48.427993Z", "deleted_at": null, "sha1_hash": "a1187bdab91b45a075bf5943927f8109aec4b584", "title": "Salty Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46360, "plain_text": "Salty Spider - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:05:29 UTC\n Other threat group: Salty Spider\nNames Salty Spider (CrowdStrike)\nCountry Russia\nMotivation Financial gain\nFirst seen 2003\nDescription\n(CrowdStrike) The pervasiveness of Salty Spider’s attacks has resulted in a long list\nof victims across the globe. While it seems, for the most part, that this adversary\ndoesn’t single out particular nations and industries, there do appear to be a few\npockets where SALTY SPIDER may be more prevalent.\nIn 2017, SALTY SPIDER ceased propagation of traditional proxy and spambot\npayloads, and shifted its sights towards the mining and theft of cryptocurrencies.\nThis shift is likely an indicator that the cryptocurrency industry has proven to be a\nmore lucrative area for monetizing Sality.\nObserved Countries: Worldwide.\nTools used Sality.\nOperations performed\nApr 2014\nDNS hijacking is still going strong and the Win32/Sality operators\nhave added this technique to their long-lasting botnet. This blog post\ndescribes how the malware guesses router passwords as part of its\ncampaign to misdirect users, send spam and infect new victims.\nDec 2018 Sality has terrorized computer users since 2003, a year when personal\ndigital assistants (PDAs) made tech headlines and office PCs ran\nWindows XP. Over the intervening years users traded their PDAs for\nsmartphones and desktops migrated to newer operating systems and\ndigital workplace solutions. Sality, however, survived the breakneck\npace of technological innovation and continues to threaten\norganizations today.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f1ea7365-0f0a-44c5-afc4-13fdf0d874b7\nPage 1 of 2\n\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f1ea7365-0f0a-44c5-afc4-13fdf0d874b7\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f1ea7365-0f0a-44c5-afc4-13fdf0d874b7\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f1ea7365-0f0a-44c5-afc4-13fdf0d874b7" ], "report_names": [ "showcard.cgi?u=f1ea7365-0f0a-44c5-afc4-13fdf0d874b7" ], "threat_actors": [ { "id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e", "created_at": "2022-10-25T16:07:24.55351Z", "updated_at": "2026-04-10T02:00:05.031489Z", "deleted_at": null, "main_name": "Salty Spider", "aliases": [], "source_name": "ETDA:Salty Spider", "tools": [ "Kookoo", "Kukacka", "Kuku", "SalLoad", "SaliCode", "Sality" ], "source_id": "ETDA", "reports": null }, { "id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94", "created_at": "2023-01-06T13:46:38.904178Z", "updated_at": "2026-04-10T02:00:03.14055Z", "deleted_at": null, "main_name": "SALTY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SALTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434373, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1187bdab91b45a075bf5943927f8109aec4b584.pdf", "text": "https://archive.orkl.eu/a1187bdab91b45a075bf5943927f8109aec4b584.txt", "img": "https://archive.orkl.eu/a1187bdab91b45a075bf5943927f8109aec4b584.jpg" } }