SalineBreeze-1 — Tracking the Shadows

SalineBreeze-1 is a pure threat intelligence room — no machines to hack, no exploits to run. Instead, the challenge tests your ability to correlate publicly available intelligence reports, identify attribution links between APT groups and their tooling, and map observed behaviors to the MITRE ATT&CK framework. The room is split into two halves: the first focuses on Salt Typhoon (a Chinese state-sponsored group targeting network infrastructure), and the second examines GhostEmperor (an actor leveraging kernel-level rootkits after initial access via ProxyLogon).

The first set of questions tasks us with identifying the basic profile of the threat actor known as "Salt Typhoon." This is a Chinese state-sponsored espionage group that has been active in the cyber threat landscape for several years. Their operations primarily target network infrastructure — routers, switches, and firewall appliances — making them a significant concern for telecommunications providers and enterprise network operators alike.

To confirm the country of origin, the MITRE ATT&CK page for this group explicitly lists China as the sponsoring nation. This attribution is backed by multiple intelligence agencies and security vendors who have tracked the group's infrastructure and operational patterns over time. The group's targeting of network devices is consistent with Chinese strategic intelligence priorities — gaining persistent access to data flowing through critical communications infrastructure.

Understanding when a threat actor first became active helps establish the scope and maturity of their operations. Salt Typhoon has been tracked since around 2019, according to the MITRE ATT&CK group profile and various threat intelligence reports. This relatively long operational history suggests a well-resourced, persistent group that has had time to develop and refine multiple custom malware families and operational tradecraft.

The 2019 start date aligns with the first observed campaigns targeting telecom and network infrastructure providers. While some earlier activity may have gone undetected, 2019 is the earliest confirmed year of operation reported by the security community. The group's longevity — operating for over five years without significant public exposure until recent advisories — speaks to their operational security discipline.

One of the distinguishing characteristics of Salt Typhoon compared to other Chinese APT groups is their primary target: network devices. While groups like APT41 or APT10 focus on enterprise endpoints and cloud services, Salt Typhoon specializes in compromising the network layer itself — routers, switches, firewalls, and other appliances that form the backbone of telecommunications and enterprise connectivity.

This targeting strategy is strategic: by compromising network devices, the group gains visibility into all traffic flowing through those devices, enabling large-scale surveillance and data collection without needing to compromise individual endpoints. It's a "listen at the pipe" approach rather than "hack each endpoint" — far more efficient for intelligence collection purposes. This is why their custom malware, such as JumbledPath, is specifically designed to function as a network sniffer on compromised Cisco devices.

Salt Typhoon has been linked to several custom-built malware families throughout their operational history. One particularly notable piece of malware carries the MITRE software identifier S1206 and is known by the name JumbledPath. This is a Go-based implant specifically designed to target Linux-based network devices, and its capabilities include acting as a network sniffer on compromised Cisco infrastructure.

The choice of Go as the programming language is telling — Go binaries are statically compiled and cross-platform, making them easy to deploy across heterogeneous network device environments. Go's built-in concurrency primitives also make it well-suited for the kind of high-throughput packet capture and processing that a network sniffer requires. On Cisco devices specifically, JumbledPath operates as a passive traffic collector, silently gathering sensitive communications data without disrupting normal device operations — a hallmark of sophisticated espionage-focused malware.

Mapping a threat actor's behavior to the MITRE ATT&CK framework is one of the most valuable outputs of threat intelligence analysis. It translates qualitative observations about adversary behavior into a structured, standardized taxonomy that defenders can use to prioritize detection and mitigation efforts. Salt Typhoon employs a range of techniques, but two stand out as particularly significant in their operational playbook.

The first technique is Indicator Removal: File Deletion — classified under T1070.002. This technique involves deleting logs and other forensic artifacts to cover tracks after an intrusion. Salt Typhoon systematically erases evidence of their activity on compromised network devices, making post-incident forensics significantly harder. On Linux-based network appliances, this often involves clearing /var/log entries and modifying syslog configurations to prevent recording of unauthorized access.

The second technique is Modify Registry — classified under T1112. While Salt Typhoon primarily targets Linux network devices, they also maintain persistence on Windows infrastructure they encounter during campaigns. Specifically, they modify the Windows Registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure their backdoor executables start automatically on boot. This is a classic persistence mechanism that provides survivability across reboots and user logouts, ensuring continuous access to compromised Windows hosts that serve as secondary infrastructure or lateral movement waypoints.

One of the key initial access vectors used by Salt Typhoon involves exploiting a known vulnerability in Sophos Firewall products. The vulnerability, catalogued as CVE-2022-3236, is a remote code execution flaw in the Sophos Firewall web administration interface that allows unauthenticated attackers to execute arbitrary code on the affected appliance. This CVE has been widely documented in security advisories and threat intelligence reports detailing Salt Typhoon's operations.

After gaining initial access through this vulnerability, the group deploys a custom backdoor known as Crowdoor. This backdoor maintains persistent access to compromised hosts and specifically leverages the Windows Registry for persistence — writing entries to the CurrentVersion\Run key to ensure it survives system reboots. The name "Crowdoor" is a play on "backdoor" combined with the group's branding, and its functionality includes command execution, file exfiltration, and lateral movement capabilities.

CVE-2022-3236  —  Sophos Firewall RCE
Severity: Critical (CVSS 9.8)
Attack Vector: Network (unauthenticated)
Impact: Remote code execution on Sophos Firewall
Exploited by: Salt Typhoon (initial access)
Backdoor deployed: Crowdoor
Persistence: HKCU\...\CurrentVersion\Run registry key

A critical skill in threat intelligence is recognizing that the same threat actor may be tracked under different names by different security vendors. This happens because each vendor discovers and tracks the group independently, often through different campaigns, before the intelligence community correlates the activity to a single actor. Salt Typhoon is no exception — TrendMicro tracks this group under the alternate name Earth Estries, documented extensively in their research blog on the group's activities.

Beyond the alias question, TrendMicro's research also reveals another piece of malware in Salt Typhoon's arsenal: GhostSpider. This is a sophisticated multi-modular backdoor that communicates using custom protocols protected by TLS encryption. The modular architecture means the core implant can dynamically load additional capabilities as needed — a design pattern that makes the malware highly flexible and difficult to fully characterize, since different victims may observe different module combinations depending on the operator's objectives.

The second half of the challenge shifts focus to GhostEmperor, a threat actor extensively documented by Kaspersky in their Securelist report titled "GhostEmperor: From ProxyLogon to Kernel Mode." This group is notable for their use of kernel-mode rootkits — one of the most powerful and stealthy categories of malware — and their ability to chain ProxyLogon (a well-known Microsoft Exchange vulnerability) with deep system-level implants to create persistent, nearly undetectable footholds on compromised servers.

The centerpiece of GhostEmperor's toolkit is a kernel-mode rootkit called Demodex. The name itself is a clever reference — Demodex are microscopic mites that live in human hair follicles, largely undetected by their hosts. This biological metaphor perfectly captures the rootkit's design philosophy: live deep within the system, remain invisible to the host's defenses, and silently siphon data. Demodex is exactly 7 letters long, fitting the challenge question's constraint, and operates at the kernel level to intercept, modify, and conceal system operations.

The first stage of GhostEmperor's infection chain begins with a malicious PowerShell dropper. This dropper is typically delivered via the ProxyLogon exploit chain against Microsoft Exchange servers. Once executed, the PowerShell script downloads and executes subsequent stages of the malware, eventually loading the Demodex rootkit into kernel space. The use of PowerShell as the initial vector is strategic — it's a legitimate Windows component that's commonly used by administrators, making it less likely to trigger security alerts compared to standalone executables.

To protect the payload and configuration data within the dropper, GhostEmperor employs AES encryption. This symmetric encryption algorithm provides strong confidentiality for the embedded strings, C2 addresses, and secondary payloads. Unlike simple XOR obfuscation (which is trivially reversible), AES requires the correct key to decrypt, making static analysis significantly harder. Security researchers typically need to extract the key from the PowerShell script's logic before they can decrypt the actual payload.

One of Demodex's most sophisticated capabilities is its ability to hide services from the Windows Service Control Manager. It achieves this by intercepting a specific IOCTL code: 0x220300. When the Services MMC snap-in (services.msc) or the sc query command enumerates services, they issue this IOCTL to services.exe. Demodex's kernel driver hooks this IOCTL and filters out entries matching the malicious service, making it invisible to standard system administration tools. This is a remarkably clean technique — rather than modifying the service registry keys (which could be detected by file integrity monitoring), the rootkit intercepts the query at the kernel level before the results reach userspace.

This room demonstrates the critical importance of threat intelligence literacy in modern cybersecurity operations. By systematically researching two APT groups across multiple intelligence sources — vendor reports, MITRE ATT&CK, CVE databases, and security blogs — we've built comprehensive profiles of both Salt Typhoon and GhostEmperor. The key takeaway is that threat intelligence is not a passive discipline; it requires active correlation across sources, understanding of alias relationships, and the ability to map observed behaviors to structured frameworks like MITRE ATT&CK.