On August 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), along with multiple partners, released a joint Cybersecurity Advisory (CSA). The advisory details the tactics, techniques, and procedures (TTPs) leveraged by Chinese State-Sponsored Actors whose activity partially overlaps with that of the cyber threat actor reported by the cybersecurity industry as Salt Typhoon.
Salt Typhoon is a Chinese state-sponsored cyber threat actor that has been active since at least 2019. It primarily targets critical sectors, including Telecommunications, Technology and Government entities across the United States, the Asia-Pacific region, the Middle East, and South Africa.
Attribution to Salt Typhoon has been made primarily by Microsoft, who uses the “Typhoon” naming convention for China-based actors. Several other vendors have reported overlapping clusters under different names—FamousSparrow (ESET), GhostEmperor (Kaspersky), Earth Estries (Trend Micro), and UNC2286 (Mandiant). While Microsoft considers these clusters to be aliases of Salt Typhoon, no public reporting has provided detailed technical evidence, such as TTPs or specific indicators, to substantiate this overlap. ESET, in contrast, maintains that FamousSparrow represents a distinct intrusion set based on clear operational and technical differences. Additionally, the authoring agencies involved in the CSA are not adopting a particular commercial naming convention for the threat activity detailed in the advisory. For consistency, AttackIQ has decided to group all of the aforementioned clusters of activity under the name Salt Typhoon for better organization and make related emulations easier to locate.
AttackIQ has released an update to its existing assessment template to incorporate additional behaviors reported across multiple sources, as well as a new attack graph that emulates the SparrowDoor and ShadowPad campaign documented by ESET.
Validating your security program performance against these behaviors is vital in reducing risk. By using these assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against recently active Chinese APT activity.
- Assess their security posture against an adversary focused on the Government, Technology, and Telecommunications sectors.
- Continuously validate detection and prevention pipelines against a threat that conducts espionage operations globally.
Salt Typhoon – 2024-11 – Associated Tactics, Techniques and Procedures (TTPs) (UPDATE)
This assessment template emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Salt Typhoon in recent operations. The assessment was updated to include the techniques reported by TrendMicro in November 2024 and Talos in February 2025 as well as the Cybersecurity Advisory (CSA) from August 2025. Below is a detailed description of all newly incorporated behaviors included in the updated template, organized by tactic.
Execution
Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.
Create Process Through WMI (T1047): This scenario executes a binary by creating a process using Windows Management Instrumentation (WMI).
Code Injection via Load Library and Create Remote Thread (T1055.001): This scenario performs the injection of a Dynamic-link Library (DLL) into a process utilizing CreateRemoteThread and LoadLibrary.
Execute DLL Through RunDLL32 (T1218.011): This scenario executes an exported function from a specific DLL using the rundll32.exe Windows utility.
System Binary Proxy Execution using “msiexec.exe” Script (T1218.007): This scenario executes msiexec.exe to remotely install an MSI package.
Persistence
Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
Create Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.
New Service using “sc.exe” (T1543.003): This scenario leverages the native sc command line tool to create a new service and performs a query in order to verify if the service was correctly created.
Scheduled Task Execution (T1053.005): This scenario emulates the use of the Windows utility schtasks to immediately execute a previously created task.
Defense Evasion: Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.
Hidden Files and Directories Script (T1564.001): This scenario executes a batch script to hide a file using the attrib command and subsequently deletes the hidden file. Enabling the hidden attribute is an attempt to prevent malicious files from being detected by defenders.
Credential Access
Consists of techniques used by adversaries to harvest credentials available on the compromised system.
Dump SYSTEM Registry Hive via “reg save” Command (T1003.002): This scenario attempts to save a copy of the HKLM\SYSTEM registry hive to a temporary file by executing the native Windows reg save command.
Discovery
Consists of techniques that adversaries use to discover information related to the compromised environment.
Domain Administrator Accounts Discovery Via Net Command Script (T1087.002): This scenario executes net group command to list domain administrator accounts.
Obtain Username using “whoami” Command (T1033): This scenario executes the native whoami command to receive details of the running user account.
File and Directory Discovery Script (T1083): This scenario executes the native dir command to discover files and directories and output to a temporary file.
Get Network Shares Information through Windows Command Line (T1049): This scenario executes the net use Windows Command to retrieve information about the system’s network shares.
Scan for Remote Systems with SMB, RDP, or LDAP Ports Open (T1018): This scenario performs a scan of the local network searching for any remotely accessible systems with ports 139, 389, 445, 636, or 3389 open.
Command and Control
Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.
SSH Connection to AttackIQ Server (T1021.004): This scenario initiates an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.
Salt Typhoon – 2025-03 – SparrowDoor and ShadowPad Campaign
This attack graph emulates the Tactics, Techniques, and Procedures (TTPs) observed in Salt Typhoon activity, specifically the FamousSparrow cluster. The emulation is based on ESET’s March 26, 2025 report detailing the SparrowDoor backdoor.
In March 2025, ESET reported on suspicious activity affecting a U.S.-based trade group operating in the financial sector. The activity was attributed to a China-aligned advanced persistent threat (APT) group known as FamousSparrow, also tracked as Salt Typhoon by Microsoft. In this campaign, the group deployed the ShadowPad backdoor for the first time, alongside two previously undocumented variants of its custom SparrowDoor malware.
This emulation begins with the deployment of a DotNetNuke webshell, which provides initial access. From there, legitimate Windows utilities are abused to gather information about the host and Active Directory environment. The SparrowDoor backdoor is then deployed via DLL Side-Loading, with persistence attempted through a newly created service or, as a fallback, a Registry Run key. Next, the SAM, SYSTEM, and SECURITY registry hives are dumped before shifting to an extensive discovery phase, which includes collecting system details, enumerating running processes and installed software, and scanning available drives and the file system. The emulation culminates with the deployment of ShadowPad, a modular backdoor that enables dynamic loading of additional plugins that are not initially embedded in the sample.
Execution & Discovery – DotNetNuke Webshell Deployment and Initial Reconnaissance
This stage begins with the decoding of DotNetNuke webshell using certutil, which is then saved to the filesystem. Next, it spawns a command shell via CreateProcessA, initiating a reconnaissance phase. During this routine, information about the local host and the Active Directory is collected to gain insight into the environment and potential lateral movement paths.
Deobfuscate / Decode Files or Information Script (T1140): This scenario utilizes the legitimate certutil binary to decode a base64 encoded payload.
2023-05 DotNetNuke Webshell Sample (T1105): The DotNetNuke Webshell sample (SHA256: d057034675befc1b4c2ae4132c4d169201c9abfbae79181185d45ca6721e43cc) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Process Creation via “CreateProcessA” Native API (T1106): This scenario executes the CreateProcessA Windows API call to create a new process of a given executable payload.
Enumerate Local System Accounts via net Command (T1087.001): This scenario executes the net user command to enumerate all local system accounts.
Get IP Information through Windows Command Line (T1016): This scenario executes the ipconfig /all Windows command to retrieve information about all network adapters.
System Network Connections Discovery (T1049): This scenario uses the native Windows command line tool netstat to collect active connections and any listening services running on the host.
Enumerate Trusted Domains via nltest (T1482): This scenario executes the command nltest /trusted_domains to obtain domain trust relationships, which allow a domain to access resources based on another domain’s authentication procedures.
Execution & Persistence – SparrowDoor Deployment
During this stage, SparrowDoor components are retrieved via PowerShell and saved to the system. Once deployed via DLL side-loading, it attempts to establish persistence by creating a service and forcing its execution. If this method fails, a registry Run key with the same name is created as a fallback. The final payload is then executed using process hollowing, enabling it to run in the context of a trusted process.
2024-04 SparrowDoor loader Sample (T1105): The SparrowDoor loader sample (SHA256: d53346b5c8c6c76e7bc0407410a58328a1e214a4d359e558380963d29a35f71b) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).
2020-07 Salt Typhoon’s Encrypted SparrowDoor Sample (T1105): The Salt Typhoon’s encrypted SparrowDoor sample (SHA256: 90af57e976aea91030579b9761e5265251986b707550ca1b793191e2818bad92) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
New Service using “sc.exe” (T1543.003): This scenario leverages the native sc command line tool to create a new service and performs a query in order to verify if the service was correctly created.
Service Execution Using “StartServiceA” (T1569.002): This scenario executes the StartServiceA Windows API to simulate service execution, which can also be used to escalate privileges from Administrator to SYSTEM by modifying an existing service.
Persistence Through Registry Run and RunOnce Keys (T1547.001): This scenario creates an entry under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to be run at system startup and acquire persistence.
Process Hollowing (T1055.012): This scenario creates a process in a suspended state and unmaps its memory, which is then replaced with the contents of a malicious executable. This technique allows the malicious code to be executed while being masked as a legitimate process.
Credential Access & Defense Evasion – Dumping of Registry Hives
In this stage, attrib.exe is used to apply hidden and system attributes to the SparrowDoor loader, helping evade detection. The emulation then shifts to credential access, with the dumping of the SAM, SYSTEM, and SECURITY registry hives to extract sensitive account and authentication information.
Hidden Files and Directories Script (T1564.001): This scenario executes a batch script to hide a file using the attrib command and subsequently deletes the hidden file. Enabling the hidden attribute is an attempt to prevent malicious files from being detected by defenders.
Dump SYSTEM Registry Hive via “reg save” Command (T1003.002): This scenario attempts to save a copy of the HKLM\SYSTEM registry hive to a temporary file by executing the native Windows reg save command.
Dump SAM Registry Hive via “reg save” Command (T1003.002): This scenario attempts to save a copy of the HKLM\SAM registry hive to a temporary file by executing the native Windows reg save command.
Dump SECURITY Registry Hive via “reg save” Command (T1003.002): This scenario attempts to save a copy of the HKLM\SECURITY registry hive to a temporary file by executing the native Windows reg save command.
Discovery – System Fingerprinting
This stage focuses on system discovery, beginning with the identification of the current user context. Then commands are executed to list running processes, detect installed security software, and gather details on available drives and enumerate the broader file system. It then deploys ShadowPad via DLL side-loading and establishes communication with its command-and-control (C2) server over HTTP (port 80).
Obtain Username using “whoami” Command (T1033): This scenario executes the native whoami command to receive details of the running user account.
Process Discovery Through Tasklist (T1057): This scenario enumerates processes running on the target asset through the tasklist Windows utility. The results are saved to a file in a temporary location.
Discover Security Software (AntiVirusProduct) using WMI Command (T1518.001): This scenario uses a native Microsoft Windows Windows Management Instrumentation Command (WMIC) to determine which software has been installed as an AntiVirusProduct class.
Drive Type Discovery via “GetDriveTypeW” Native API (T1120): This scenario retrieves information about the system’s physical disks using the GetDriveTypeW Windows API call.
File and Directory Discovery via “FindFirstFileW” and “FindNextFileW” Native API (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.
2024-05 ShadowPad Loader Sample (T1105): The ShadowPad loader sample (SHA256: bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).
HTTP Communication (T1071.001): This scenario simulates an attacker using TCP port 80 to communicate via the HTTP protocol, attempting to bypass network security defenses.
Opportunities to Expand Emulation Capabilities
In addition to the released assessment template and attack graph, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.
Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.
Execute Power Shell Script in Remote System with PaExec: This scenario simulates the execution of a PowerShell script on a remote machine using PaExec.
Clear Command History Script: This scenario executes history -c to clear the command history typically stored in ${HOME}/.bash_history.
Wrap-up
In summary, these assessment templates will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Salt Typhoon. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
