Salt Typhoon first emerged in the public consciousness with media reporting in late 2024. The previously unknown (or overlooked) threat actor was quickly linked to widespread intrusions in major US-based telecommunications companies, and targeting of both specific systems used to enable lawful intercept operations as well as the communications of high profile individuals. Subsequent reporting indicated the group may not be limited to US operations, with unnamed officials indicating that multiple additional countries may also have been targeted by Salt Typhoon. The group appeared to be both incredibly prolific and dangerous – yet at the same time, obscure as the cryptonym “Salt Typhoon” had not featured in any detailed or significant public reporting prior to the articles in late 2024.

Who Is “Salt Typhoon?”

In spring 2023, Microsoft changed its naming schema for threat actors from an “element” focused system (e.g., “PHOSPHORUS”) to a “descriptor-weather” system (e.g., “Seashell Blizzard”). The subsequent “Rosetta Stone” for Microsoft’s threat actor names revealed the only public mention of Salt Typhoon outside of initial reporting from the Wall Street Journal and other media outlets:

The above describes Salt Typhoon as a People’s Republic of China (PRC) threat actor also referred to as “GhostEmperor” and “FamousSparrow.” This begins to orient “what” Salt Typhoon may be, but adds no explanation, detail, justification, or notes for how or why “Salt Typhoon” overlaps with, is the same as, or relates to these other names. Yet, this single entry in one table was used to immediately link the telecommunication provider intrusions conducted by Salt Typhoon to historical actors GhostEmperor and FamousSparrow.

GhostEmperor and FamousSparrow refer to intrusion sets or threat actors previously documented by Kaspersky and ESET, respectively, in 2021. Both entities leveraged the ProxyLogon set of vulnerabilities to compromise Microsoft Exchange servers and appeared to have at minimum Chinese language links, but otherwise these two entities diverged in their described behaviors. GhostEmperor, tracked since July 2020, included intrusions against multiple webserver frameworks beyond just Microsoft Exchange, and culminated with the deployment of a rootkit (Demodex) against entities in Southeast Asia (and some geographical outliers) in the government and telecommunications sectors. FamousSparrow, tracked since at least 2019, also used ProxyLogon exploitation (but no details on any other vectors during initial reporting) leading to the deployment of a unique backdoor (SparrowDoor) against governments, international organizations, engineering companies, and law firms spanning North America, South America, Africa, Europe, the Middle East, and Southeast Asia.

Based on the above, while similarities exist between GhostEmperor and FamousSparrow, a definitive link let alone direct overlap between the two is at best very tenuous. ProxyLogon exploitation, for example, extended across multiple threat actors in the timeframe that GhostEmperor and FamousSparrow were leveraging this vulnerability. Notably, researchers from ESET in analysis in 2025 explicitly stated that FamousSparrow and GhostEmperor represent different entities: 

The above was expounded upon further in technical reporting, with a particular emphasis on alleged links to Salt Typhoon. As noted by ESET in this article, Microsoft has not provided any detailed reporting, evidence, or justification as to how or why Salt Typhoon overlaps with FamousSparrow (let alone how FamousSparrow is linked to GhostEmperor), leading to substantial confusion among these entities within the broader threat intelligence and analyst community.

Such issues were compounded further when additional research emerged from Trend Micro around a group tracked as “Earth Estries.” First reported on in 2023 with alleged links to FamousSparrow, Earth Estries superficially fits a similar profile: active since 2020; targeting government and technology entities in North America, Europe, Africa, and Southeast Asia; and extensively leveraging DLL sideloading or search order hijacking for defense evasion. Yet when digging into actual details, the two groups appear linked only in tenuous ways that represent overlaps with multiple other threat actors. Subsequent reporting on Earth Estries linked the group to FamousSparrow, GhostEmperor, and Salt Typhoon – yet follow-on reporting only a few weeks later noted that such links may only be behavioral overlaps as opposed to direct links:

Historical analysis makes matters even more confusing as a malware variant associated with FamousSparrow (SparrowDoor) named “CrowDoor” was identified with another likely PRC-based intrusion set: Tropic Trooper. Active since 2011, Tropic Trooper has targeted various entities in East Asia as well as the Middle East, but is generally linked to an entirely different set of behaviors than those resulting in the overlaps witnessed in FamousSparrow, GhostEmperor, and Salt Typhoon.

At this stage, a whirlwind of threat actor names, links or overlaps, and behavioral documentation exists for a variety of items that may (or may not) relate to Salt Typhoon. Throughout this period, the only definitive information linking any activity cluster to an “entity in the world” is a US Department of Treasury Office of Foreign Assets Control (OFAC) statement that explicitly identifies the following:

1. Sichuan Juxinhe Network Technology Co., Ltd (Juxinhe), a Sichuan-based cybersecurity company with direct involvement in Salt Typhoon Operations.
2. Juxinhe has longstanding relationships with the PRC MSS.
3. Based on the above, MSS is likely associated with Salt Typhoon targeting and tasking, if not direct operations.

We thus have some (presumably) definitive information from a government source on “who” (or at least “what”) Salt Typhoon is, but this information relates to a specific PRC cyber operations contractor and its links to the MSS. The trail of information to other entities—GhostEmperor, FamousSparrow, Earth Estries—remains at best obscure, if not completely nonexistent.

The result is a mishmash of overlapping entities, each tangentially and potentially more definitively related to one another but with no absolute link. From an attribution and threat tracking perspective, we are thus left with something similar to the following diagram:

What Does It Mean?

The above analysis may seem like so much cyber threat intelligence trivia and minutia – yet it retains meaning. We can, based on the Treasury OFAC sanction, clearly link at least Salt Typhoon (if not all of these entities) to the PRC’s MSS (or a constellation of contractors supporting MSS). This gives us insight into motivation which does not significantly appear to differentiate whether we’re discussing Salt Typhoon or Tropic Trooper: espionage operations designed to breach sensitive networks, identify information of interest, and extract it for analysis.

But the how related to his intention remains different—either fundamentally or tangentially—amongst all of these entities. And this is where the conflation of so many “groups” with Salt Typhoon has actual cost. At present, aside from one detailed report from Cisco Talos, specific technical details on Salt Typhoon operations remain somewhat of a mystery. High-profile, general media reporting has nonetheless placed a spotlight on this threat actor for multiple entities to question what they do and how they operate – and in the vacuum of available information, other entities have jumped at the chance to amplify weak or even nonexistent links to map this actor to historical actions. Thus we have “Salt Typhoon, also known as FamousSparrow, GhostEmperor, Earth Estries…” and similar statements, when the actual evidence and detail needed to make such claims is, at the moment, completely unavailable in any public forum.

Thus in trying to defend against “Salt Typhoon” attacks as witnessed by major US telecommunications companies, organizations may find themselves fighting “the last war” against GhostEmperor or FamousSparrow when these entities are completely irrelevant for the current landscape. First and foremost, for those concerned about such actions, defensive decisionmaking will be limited so long as detailed information on just what Salt Typhoon “is”—and more importantly, how they operate—remains scarce. Second, for those grasping for anything  to bolster network defense and similar actions, following weak links to historical activity may appear to satisfy a need, but likely will result in misguided actions that fail to address the root problem.

Conclusion

Salt Typhoon is a unique entity given its significant public profile due to intense general media reporting combined with scarce in-depth technical information and assessment as to precisely how this group operates. Given the intense concern over this group’s operations, it is therefore unsurprising that analysts and others have played quite fast and loose with connections to other entities to provide some semblance of a profile for this threat actor. Yet reviewing these “links,” few (if any) withstand significant scrutiny, as observed in the statements made by analysts identifying some of the historical activity (e.g., FamousSparrow) now linked to Salt Typhoon operations.

The key lesson for decision makers is thus: to carefully evaluate information as it is received to ensure not just technical accuracy, but also the veracity and viability of supporting arguments. In the search for “who is Salt Typhoon,” multiple entities have made logical and analytical leaps that are at best misleading, and at worst will divert defensive action to topics more relevant a few years ago than in today’s environment.

Note: This post has been edited/correct from its original version to remove confusion associated with an individual named in the Treasury OFAC report cited, who is NOT associated with Salt Typhoon operations.