SALT Typhoon, also known as Earth Estries, has been spying on high-value government and telecommunications targets for years and recently unveiled a fresh backdoor named GhostSpider. The group is described as among the PRC’s most cutting-edge APTs, with campaigns stretching back to 2023 and more than 20 organisations compromised, including US telcos and ISPs in North America.
The newly disclosed GhostSpider is described as a highly modular backdoor, with other tools in its arsenal including the Masol RAT, the Deed RAT family known as SnappyBee, and a rootkit called Demodex, with Inc ransomware possibly used in some operations. With GhostSpider, the malware can be tailored by loading different modules for specific tasks, a capability highlighted by Trend Micro’s analysts, according to Trend Micro's vice president of threat intelligence, Jon Clay.
Since 2023 Salt Typhoon’s victims have spanned four continents, with a concentration in Southeast Asia, and the attackers have focused on governments, telecoms, technology, and other critical sectors, often leveraging n-day vulnerabilities and targeted internet-facing devices rather than relying solely on phishing.