Salt Typhoon persistent espionage campaign targeting global networks
Campaign
Summary
Hide ▲
Show ▼
Salt Typhoon remains a persistent espionage campaign with multi-year infrastructure now traced back to May 2020. A new analysis found 45 previously unreported domains tied to Salt Typhoon and UNC4841, including overlap with Barracuda Email Security Gateway exploitation via CVE-2023-2868 (CVSS 9.8). The findings indicate the 2024 Salt Typhoon attacks were not the group’s first known activity and extend the campaign’s long-running infrastructure footprint across China-linked espionage operations.
Related Happenings
China-nexus hijacked-device proxy network campaign
Campaign
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Red Menshen telecom espionage campaign
Campaign
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
Campaign
First: 06.03.2026 12:23
Last: 06.03.2026 12:23
Sources 1
About this happening:
**MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
CampaignAbout this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
Middle East retaliatory hacktivist DDoS campaign
Campaign
First: 04.03.2026 19:21
Last: 04.03.2026 19:21
Sources 1
About this happening:
A **retaliatory hacktivist DDoS campaign** has surged across the **Middle East**, creating broad disruption risk for **government** and **public-infrastructure** targets. Research...
Middle East retaliatory hacktivist DDoS campaign
CampaignAbout this happening: A **retaliatory hacktivist DDoS campaign** has surged across the **Middle East**, creating broad disruption risk for **government** and **public-infrastructure** targets. Research...
Timeline
-
28.08.2025 17:04 3 articles · 9mo ago
Salt Typhoon targets exposed edge devices across global telecom and critical networks
Campaign Scope UpdateAuthorities from 13 countries said Salt Typhoon continued targeting telecommunications, government, transportation, lodging, and military infrastructure networks, with initial access gained through exposed Cisco, Ivanti, and Palo Alto Networks edge devices and follow-on activity that included router modification, GRE tunnels, ACL changes, and TACACS+ traffic capture for credential theft and lateral movement. The campaign was also linked to three Chinese entities and described as active since at least 2019, with reporting that the activity has affected 600+ organizations across 80 countries, including 200 in the U.S.
Show sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage — thehackernews.com — 09.09.2025 03:27