Threat Actor Profile

Salt Typhoon

Aliases
  • FamousSparrow
  • GhostEmperor
  • OPERATOR PANDA
  • RedMike
  • SLIME57
  • UNC2286
  • UNC4841
Origin
China
Active Since
2019
Motivation
Espionage, Intelligence collection
Cause
Nation State
Recent Activity

In late April 2026, Salt Typhoon was suspected in a breach of an IBM Italy subsidiary that manages IT infrastructure for Italian public and private-sector organizations. Attribution remains suspected, not confirmed.

Primary Targets
  • U.S. telecommunications providers
  • Internet service providers
  • Government organizations
  • Technology organizations
Target Locations
  • United States
  • Netherlands
Target Sectors
  • Telecommunications
  • Government
  • Technology
Vulnerabilities

CVE-2023-7102

CVE-2021-36260

CVE-2021-28199

Techniques
  • Valid credentials

  • Native administrative tools

  • Create Account

  • Exfiltration Over Alternative Protocol

  • Obtain Capabilities Tool

  • Account Manipulation through SSH authorized keys

  • Data from Configuration Repository

Malware Tools
  • SparrowDoor
  • JumbledPath
Bitsight Contextualized Intelligence
  • Associated with long-running espionage operations

  • Linked to Sichuan Juxinhe Network Technology Co. LTD

  • Campaign activity continued into 2025 across telecom firms in the United States Europe Africa and Asia

Defensive Takeaways
  • Patch known vulnerabilities including older CVEs

  • Harden identity and access controls

  • Monitor for stealthy long-duration intrusions

  • Review use of valid credentials and native administrative tools

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo