Since 2023, Chinese state-sponsored threat actor Earth Estries (tracked as Salt Typhoon/GhostEmperor/UNC2286) has conducted sophisticated cyber espionage operations against telecommunications, government entities, and critical infrastructure across over 10 countries. Security researchers have documented their use of advanced malware families including GHOSTSPIDER, MASOL RAT, and SNAPPYBEE, with some campaigns maintaining persistence since 2019.
Operational Patterns and Infrastructure
Earth Estries operates through compartmentalized campaigns with distinct infrastructure patterns. The group’s Alpha campaign focuses on APAC governments using DEMODEX rootkits, while their Beta campaign targets global telecom providers through GHOSTSPIDER backdoors. Technical analysis reveals infrastructure overlaps with other Chinese APT groups, including shared WHOIS registrant details and protonmail contacts like [email protected].
Notable C2 infrastructure includes multi-hop communication through domains like billing[.]clothworls[.]com and telcom[.]grishamarkovgf8936[.]workers[.]dev. The group maintains operational security by rotating IP addresses like 165.154.227.192 and using Cloudflare Workers for proxy redirection.
Technical Analysis of Malware Arsenal
The GHOSTSPIDER backdoor employs stager-beacon architecture similar to Cobalt Strike, with encrypted .NET DLL payloads that perform hostname verification before activation. Recent variants incorporate DLL sideloading through legitimate executables and use living-off-the-land binaries for execution.
DEMODEX rootkit deployments typically begin with PowerShell execution chains:
PSEXEC -> cmd.exe -> Powershell.exe -ex bypass c:\windows\assembly\onedrived.ps1 password@123SNAPPYBEE (Deed RAT) exhibits code similarities with known Chinese malware families, using loader variants like WINMM.dll that communicate with C2 domains such as api.solveblemten[.]com. The malware implements control flow flattening to hinder analysis.
Defensive Recommendations
Organizations should prioritize monitoring for DLL sideloading patterns and anomalous PowerShell execution chains. Network segmentation between OT and IT environments is critical, particularly for telecommunications providers. Credential rotation is advised for any systems where WMIC or PSEXEC usage is detected.
Threat hunting queries should focus on DEMODEX artifacts in Windows assembly paths and known file hashes like 2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec. Patching Ivanti and Fortinet vulnerabilities (CVE-2024-36401) remains essential for preventing initial access.
Strategic Implications
Earth Estries represents a mature Chinese cyber espionage operation with centralized tool development and long-term strategic objectives. Their reuse of infrastructure and tools across multiple campaigns suggests coordination with other APT groups. The group’s focus on telecommunications aligns with China’s strategic interests in global communications infrastructure.
Security teams should reference the full IOCs and YARA rules published by Trend Micro and JSAC for detection capabilities. Continued monitoring of Cloudflare Worker domains and SoftEther VPN endpoints is recommended for organizations in targeted sectors.
