Threat Research

Response to CISA Advisory (AA25-239A): Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

AttackIQ

CISA, FBI, NSA and partners released a joint CSA detailing TTPs linked to China-aligned activity overlapping with the actor industry calls Salt Typhoon (also reported as FamousSparrow, SparrowDoor, ShadowPad activity). AttackIQ updated its assessment templates and attack graphs to emulate these behaviors—covering execution, persistence, credential access, discovery, and C2—to help organizations validate controls against the SparrowDoor/ShadowPad campaigns. #SaltTyphoon #SparrowDoor #ShadowPad

Keypoints

  • CISA, FBI, NSA and partners published a joint Cybersecurity Advisory describing TTPs associated with China-aligned activity overlapping with Salt Typhoon.
  • Salt Typhoon (active since at least 2019) targets Telecommunications, Technology, and Government sectors across multiple regions.
  • Industry vendors use different names for overlapping clusters (FamousSparrow, GhostEmperor, Earth Estries, UNC2286), and AttackIQ groups these under Salt Typhoon for emulation consistency.
  • AttackIQ updated assessment templates and created a new attack graph to emulate SparrowDoor and ShadowPad campaigns, incorporating reports from Trend Micro, Talos, ESET, and the August 2025 CSA.
  • Emulations cover techniques across Execution, Persistence, Defense Evasion, Credential Access, Discovery, and Command and Control—including DLL side-loading, process hollowing, registry hive dumping, and HTTP C2.
  • Specific artifacts and samples are included in scenarios (e.g., SparrowDoor and ShadowPad loader SHA256 samples) to test network and endpoint controls.
  • AttackIQ recommends additional scenarios (PAExec lateral movement, remote PowerShell execution, and command history clearing) to expand emulation coverage and validate detection/prevention pipelines.

MITRE Techniques

  • [T1047 ] Create Process Through WMI – Executes a binary by creating a process using Windows Management Instrumentation (WMI). Quote: ‘This scenario executes a binary by creating a process using Windows Management Instrumentation (WMI).’
  • [T1055.001 ] Code Injection via Load Library and Create Remote Thread – Injects a DLL into a process using CreateRemoteThread and LoadLibrary. Quote: ‘…performs the injection of a Dynamic-link Library (DLL) into a process utilizing CreateRemoteThread and LoadLibrary.’
  • [T1218.011 ] Execute DLL Through RunDLL32 – Executes an exported function from a DLL using rundll32.exe. Quote: ‘…executes an exported function from a specific DLL using the rundll32.exe Windows utility.’
  • [T1218.007 ] System Binary Proxy Execution using “msiexec.exe” – Uses msiexec.exe to remotely install an MSI package. Quote: ‘…executes msiexec.exe to remotely install an MSI package.’
  • [T1136.001 ] Create Account – Attempts to create a new user with the net user command. Quote: ‘…attempts to create a new user into the system with the net user Windows command.’
  • [T1543.003 ] New Service using “sc.exe” – Leverages sc.exe to create a new service and verify creation. Quote: ‘…leverages the native sc command line tool to create a new service and performs a query…’
  • [T1053.005 ] Scheduled Task Execution – Emulates use of schtasks to execute a previously created task. Quote: ‘…emulates the use of the Windows utility schtasks to immediately execute a previously created task.’
  • [T1564.001 ] Hidden Files and Directories Script – Uses attrib in a batch script to hide and then delete files to evade detection. Quote: ‘…executes a batch script to hide a file using the attrib command and subsequently deletes the hidden file.’
  • [T1003.002 ] Dump SYSTEM/SAM/SECURITY Registry Hive via “reg save” – Saves copies of registry hives to temporary files using reg save to harvest credentials. Quote: ‘…attempts to save a copy of the HKLMSYSTEM registry hive to a temporary file by executing the native Windows reg save command.’
  • [T1087.002 ] Domain Administrator Accounts Discovery Via Net Command Script – Executes net group to list domain administrator accounts. Quote: ‘…executes net group command to list domain administrator accounts.’
  • [T1033 ] Obtain Username using “whoami” Command – Runs whoami to get details of the running user. Quote: ‘…executes the native whoami command to receive details of the running user account.’
  • [T1083 ] File and Directory Discovery Script – Uses dir or native APIs to enumerate files and directories. Quote: ‘…executes the native dir command to discover files and directories and output to a temporary file.’
  • [T1049 ] Get Network Shares Information through Windows Command Line – Uses net use to retrieve network share information. Quote: ‘…executes the net use Windows Command to retrieve information about the system’s network shares.’
  • [T1018 ] Scan for Remote Systems with SMB, RDP, or LDAP Ports Open – Scans local network for hosts with ports 139, 389, 445, 636, or 3389 open. Quote: ‘…performs a scan of the local network searching for any remotely accessible systems with ports 139, 389, 445, 636, or 3389 open.’
  • [T1021.004 ] SSH Connection to AttackIQ Server – Initiates an SSH connection to an external server to exercise outbound traffic restrictions. Quote: ‘…initiates an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.’
  • [T1140 ] Deobfuscate / Decode Files or Information Script – Uses certutil to decode base64 payloads. Quote: ‘…utilizes the legitimate certutil binary to decode a base64 encoded payload.’
  • [T1105 ] Ingress Tool Transfer (downloaded samples) – Downloader behavior saving webshells and loaders to disk/memory (multiple SHA256 samples cited). Quote: ‘…downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls…’
  • [T1106 ] Process Creation via “CreateProcessA” Native API – Uses CreateProcessA to spawn command shells and processes. Quote: ‘…executes the CreateProcessA Windows API call to create a new process…’
  • [T1482 ] Enumerate Trusted Domains via nltest – Uses nltest /trusted_domains to obtain domain trust relationships. Quote: ‘…executes the command nltest /trusted_domains to obtain domain trust relationships.’
  • [T1574.002 ] DLL Side-Loading – Loads a malicious DLL via a legitimate executable to run malicious code. Quote: ‘…leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).’
  • [T1569.002 ] Service Execution Using “StartServiceA” – Executes StartServiceA API to run services and potentially escalate privileges. Quote: ‘…executes the StartServiceA Windows API to simulate service execution…’
  • [T1547.001 ] Persistence Through Registry Run and RunOnce Keys – Creates entries under Run keys for startup persistence. Quote: ‘…creates an entry under the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key to be run at system startup…’
  • [T1055.012 ] Process Hollowing – Creates a suspended process, unmaps memory, and replaces it with malicious content to hide execution. Quote: ‘…creates a process in a suspended state and unmaps its memory, which is then replaced with the contents of a malicious executable.’
  • [T1033 ] Obtain Username using “whoami” Command (repeated) – Used in system fingerprinting to identify user context. Quote: ‘…executes the native whoami command to receive details of the running user account.’
  • [T1057 ] Process Discovery Through Tasklist – Uses tasklist to enumerate running processes and save results. Quote: ‘…enumerates processes running on the target asset through the tasklist Windows utility.’
  • [T1518.001 ] Discover Security Software using WMI (AntiVirusProduct) – Uses WMIC to detect installed AV products. Quote: ‘…uses a native Microsoft Windows Windows Management Instrumentation Command (WMIC) to determine which software has been installed as an AntiVirusProduct class.’
  • [T1120 ] Drive Type Discovery via “GetDriveTypeW” – Calls GetDriveTypeW to retrieve physical disk information. Quote: ‘…retrieves information about the system’s physical disks using the GetDriveTypeW Windows API call.’
  • [T1083 ] File and Directory Discovery via Native APIs – Uses FindFirstFileW and FindNextFileW to enumerate file system. Quote: ‘…executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.’
  • [T1071.001 ] HTTP Communication – Uses HTTP over TCP port 80 for C2 to blend with normal traffic. Quote: ‘…establishes communication with its command-and-control (C2) server over HTTP (port 80).’

Indicators of Compromise

  • [File Hash ] Known malicious samples referenced – d057034675befc1b4c2ae4132c4d169201c9abfbae79181185d45ca6721e43cc (DotNetNuke webshell), d53346b5c8c6c76e7bc0407410a58328a1e214a4d359e558380963d29a35f71b (SparrowDoor loader)
  • [File Hash ] Additional loader/backdoor samples – 90af57e976aea91030579b9761e5265251986b707550ca1b793191e2818bad92 (encrypted SparrowDoor), bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6 (ShadowPad loader)
  • [File Name ] Malware/artifact names used in emulation – DotNetNuke webshell, SparrowDoor loader, ShadowPad loader (used to test detection and endpoint/network controls)
  • [Command / Tools ] Native Windows utilities and commands observed – certutil (decoding), reg save (registry hive dumping), net/net use/net group/ net user (account and share discovery), schtasks/sc.exe/StartServiceA (persistence and service control)
  • [Network Indicator ] C2 communication protocol and port – HTTP over TCP port 80 used by ShadowPad for command-and-control (example: HTTP C2 traffic simulation).

Read more: https://www.attackiq.com/2025/09/04/cisa-advisory-aa25-239a/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint