Salt Typhoon

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 27/03/2026 01:14
Updated at: 27/03/2026 01:14
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 4 reports, 78 attack patterns (mitre), 6 malware, 5 sectors, 9 countries, 65 indicators, 8 vulnerabilities (cve)

Description

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)

Marking (TLP)

External references

Cisco Salt Typhoon FEB 2025
US Dept. of Treasury Salt Typhoon JAN 2025
mitre-attack (G1045)

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (4)

DeedRAT: Unpacking a Modern Backdoor's Playbook

11 MITREs 1 Malware 4 Observables 1 APT
Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat

16 MITREs 1 APT
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide …

6 CVEs 31 MITREs 92 Observables 1 APT
The Persistent Threat of Salt Typhoon: Tracking Exposures …

16 MITREs 3 Malwares 1 APT

Attack patterns (MITRE) (78)

T1068 uses

Exploitation for Privilege Escalation MITRE
T1199 uses

Trusted Relationship MITRE
T1070 uses

Indicator Removal MITRE
T1056 uses

Input Capture MITRE
Network Topology uses

T1590.004 MITRE
T1071.001 uses

Web Protocols MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1571 uses

Non-Standard Port MITRE
T1012 uses

Query Registry MITRE
T1105 uses

Ingress Tool Transfer MITRE
T1562.001 uses

Disable or Modify Tools MITRE
T1543.003 uses

Windows Service MITRE

← Previous

Page / 7

1–12 of 78

POISONPLUG.SHADOW uses

Family
SNAPPYBEE uses

Family
JumbledPath uses
MASOL RAT uses

Family
ShadowPad - S0596 uses

Family
DeedRAT uses

Family

Sectors (5)

Government targets
Technology targets
Defense targets
Energy targets
Telecommunications targets

Countries (9)

Germany targets
Taiwan targets
Australia targets
New Zealand targets
Central African Republic targets
United States of America targets
South Africa targets
Canada targets
United Kingdom of Great Britain and Northern Ireland targets

Indicators (65)

solveblemten.com indicates
verfiedoccurr.com indicates
http://89.31.121.101:443/DisplayDialog.exe indicates
servicecloudconnect.com indicates
cloudprocenter.com indicates
chekoodver.com indicates
2d9107edad9f674f6ca1707d56619a355227a661163f18b5794326d4f81a2803 indicates
asparticrooftop.com indicates
e-forwardviewupdata.com indicates
hateupopred.com indicates
http://89.31.121.101:443/dbindex.dat indicates
http://89.31.121.101:443/imfsbDll.dll indicates

← Previous

Page / 6

1–12 of 65

Vulnerabilities (CVE) (8)

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2023-20273 KEV targets

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2018-0171 KEV targets

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2022-3236 KEV targets

9.8 Critical

A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Attack vector: Network
Published: 23/09/2022
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-48788 KEV targets

9.8 Critical

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Attack vector: Network
Published: 25/03/2024
Modified: 21/12/2025

Contact About Legal notice Privacy policy Terms of use

Salt Typhoon

Essential information

Description

Marking (TLP)

External references

Related entities

Reports (4)

Attack patterns (MITRE) (78)

Malware (6)

Sectors (5)

Countries (9)

Indicators (65)

Vulnerabilities (CVE) (8)