Salt Typhoon targets telcos again with backdoor GhostSpider malware


  • Trend Micro discovers brand new backdoor called GhostSpider
  • It can exfiltrate sensitive data and tamper with the OS
  • It was used by a Chinese state-sponsored threat actor known as Salt Typhoon

Infamous Chinese state-sponsored threat actor Salt Typhoon has been seen using a brand new backdoor malware to target telecommunication service providers.

A report from cybersecurity professionals Trend Micro analyzed the backdoor, called GhostSpider, noting it is used in long-term cyber-espionage operations, with its key stealth mechanisms include remaining exclusively in memory, and encrypting its communication with the C2 server.

GhostSpider is capable of a number of things, including uploading malicious modules into memory, activating the module by initializing necessary resources, executing the primary loader function (data exfiltration, or system tampering), and closing the module to free memory and remain out of sight. Finally, it can adjust its behavior to avoid getting detected, while maintaining periodic communication with the C2 server.

Abusing endpoint flaws

The Washington Post noted US authorities recently notified 150 victims, most of which were in the D.C. area, that Salt Typhoon was eavesdropping on their communications.

In its report, Trend Micro added besides telecommunications, the Chinese target government entities, technology, consulting, chemicals, and transportation sectors in the U.S., Asia-Pacific, Middle East, South Africa, and other regions. To breach the systems, Salt Typhoon would exploit a number of flaws in different endpoints, including bugs in Ivant’s Connect Secure VPN, Fortinet’s FortiClient EMS, Sophos’ Firewall, and others.

While GhostSpider took all the limelight, Salt Typhoon was also spotted using other, never-seen-before variants, including a Linux backdoor called Masol RAT, a rootkit called Demodex, and a backdoor named SnappyBee.

Known as one of the more dangerous threat actors, Salt Typhoon mostly focuses on data exfiltration and surveillance, often aimed at government agencies, political figures, and key industries in the U.S. and allied nations. Some of its notable victims include major U.S. telecommunications providers such as T-Mobile, AT&T, Verizon, and Lumen Technologies.

Via BleepingComputer

Related posts

Get the best Black Friday deals on tech every single day

Rogue VPN servers used to spread malware via malicious updates

The M5-powered OLED iPad Pro is tipped to launch before the end of 2025

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More