Operation SalmonSlalom - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-05 16:18:44 UTC
Home > List all groups > Operation SalmonSlalom
 APT group: Operation SalmonSlalom
Names Operation SalmonSlalom (Kaspersky)
Country China
Motivation Information theft and espionage
First seen 2025
Description
(Kaspersky) A Kaspersky ICS CERT investigation uncovered a cyberthreat specifically
targeting various industrial organizations in the Asia-Pacific region. The threat was
orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN)
myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure. The
attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion
of detection. Their techniques included the use of a native file hosting CDN, publicly available
packers for sample encryption, dynamic changes in command and control (C2) addresses, a
CDN hosting the payload, and the use of DLL sideloading.
Observed
Sectors: Construction, Financial, Government, Healthcare, IT, Manufacturing,
Telecommunications.
Countries: China, Hong Kong, Japan, Malaysia, Philippines, Singapore, South Korea, Taiwan,
Thailand, Vietnam.
Tools used FatalRAT.
Information
Last change to this card: 02 March 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=98b23cd0-b341-47a8-85cb-5aeb9df8b974
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=98b23cd0-b341-47a8-85cb-5aeb9df8b974
Page 1 of 1