THREATOPS Actor Dossier
LIVE ← Dashboard

Salt Typhoon

G10451 reports
aliases · Salt Typhoon
Export dossier:
1
Reports
12
Techniques
6
Tactics
5
Countries
26%
Hunt coverage
1
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1583 (Acquire Infrastructure), T1003 (OS Credential Dumping), T1602 (Data from Configuration Repository).
  • Primary targeting: RU, US, AU, CA.
  • Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 31 new technique(s), 35 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 26% of 31 observed techniques (23 gap(s)).
  • Assessment confidence: high (95).

Activity & trend

Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-13 · last 2026-07-13
1
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1583T1003T1602T1590.005T1584.008T1588.006T1071T1584.003T1190T1602.002T1595.002T1595
Targeting gained
AUCANZRUUS
New infrastructure
https://www.ic3.gov/PSA/2025/PSA250820https://media.defense.gov/2026/Jul/09/20https://www.cve.org/CVERecord?id=CVE-201https://www.cve.org/CVERecord?id=CVE-200https://media.defense.gov/2025/Aug/22/20https://www.nsa.gov/About/Cybersecurity-https://media.defense.gov/2022/Jun/15/20https://www.cyber.gc.ca/en/guidance/routhttps://www.cyber.gc.ca/en/guidance/secuhttps://www.cyber.gc.ca/en/guidance/guidhttps://www.cyber.gc.ca/en/guidance/basehttps://www.cyber.gc.ca/en/guidance/top-

Vulnerabilities in this actor's reporting · 2

Overview

Analyst triage
Intelligence summary

Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected