Chinese state-sponsored hacking group going by the Alias Salt Typhoon is reported to use custom malware to spy on US telecommunication networks.
This is part of a sophisticated cyberespionage campaign that uses a tool called JumbledPath. This custom malware allows the hackers to steal sensitive data and also lets them monitor network traffic.
Salt Typhoon’s Recent Activities
Salt Typhoon is better known as Earth Estries, GhostEmperor, or UNC2286. The group has been active since 2019. The primary targerts of this group are government entities and telecommunication companies.
US authorities adn researchers have confirmed Salt Typhoon’s involvement in several successful breaches. These breaches have affected major US telecommunication service providers. Verizon, AT&T, Lumen Technologies, and T-Mobile were all targeted.
The hackers even accessed the private communications of some US government officials. They have also stolen information related to court-authorized wiretapping requests.
The Scale of the Attacks
Recorded Future’s Insikt Group reported that Salt Typhoon targeted over 1,000 Cisco network devices. More than half were in the US, South America, and India. This happened between December 2024 and January 2025. Cisco Talos has provided more details on this incident. They revealed that the hackers’ activity spanned over three years in some cases.
Cisco Talos Reveals Salt Typhoon’s Tactics and Techniques
Cisco Talos stated that Salt Typhoon gained access primarily through stolen credentials. They found no evidence of zero-day exploits.
“No new Cisco vulnerabilities were discovered during this campaign,” states Cisco Talos.
Once inside, the hackers expanded their access. They extracted additional credentials from network device configurations. They also intercepted authentication traffic (SNMP, TACACS, and RADIUS).
They then exfiltrated device configurations via TFTP and FTP. This facilitated lateral movement and provided sensitive authentication data.
The attackers used advanced techniques for persistent access and evasion. They frequently moved between devices to hide their tracks.
They used compromised edge devices to access partner networks and then modified network configurations. They also enabled Guest Shell access and altered access control lists (ACLs). Aftewards they were reported to have created hidden accounts.
The Role of JumbledPath Custom Malware
A key part of the attacks involved monitoring network activity and stealing data. The hackers used tools like Tcpdump, Tpacap, Embedded Packet Capture, and their custom tool, JumbledPath. JumbledPath is a Go-based ELF binary for x86_64 Linux systems.
It ran on various edge networking devices. This included Cisco Nexus devices. JumbledPath allowed the hackers to initiate packet capture. The malware uses a jump-host to make requests appear as if they are coming from a trusted device.
This also helped in obfuscating the attacker’s true location. JumbledPath can also disable logging and clear existing logs. This is done deliverately to make forensic investigations harder.
Mitigation Against Salt Typhoon
Cisco has advised monitoring for unauthorized SSH activity on non-standard ports. They also suggest tracking the log for any kind of anomalies. This includes missing or unusually large ‘.bash_history’ files. Inspecting for unexpected configuration changes is also recommended by Cisco.
Chinese threat actors are thus targeting edge networking devices. They install custom malware to monitor communications. They then steal credentials or act as proxy servers.
This has affected many manufacturers, including Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, and Sophos. Many other attacks on the other hand, exploit zero-day vulnerabilities. Others used compromised credentials or older vulnerabilities. Admins must apply patches to edge networking devices as soon as possible.
