Pacific Crosshairs: Chinese APT Groups and the Cyber Siege on America's Naval Shipyards

U.S. Naval Shipyards Face Persistent Multi-Vector Cyber Threats

The United States maintains a network of naval shipyards that build, repair, and overhaul the warships and submarines underpinning global power projection: Pearl Harbor Naval Shipyard and Intermediate Maintenance Facility (PHNSY&IMF) in Hawaii; Puget Sound Naval Shipyard (PSNS) in Bremerton, Washington; Norfolk Naval Shipyard (NNSY) in Portsmouth, Virginia; Portsmouth Naval Shipyard in Kittery, Maine; Fleet Readiness Center Southwest (FRCSW) and the Ship Repair Facility at Yokosuka, Japan. Each of these yards handles classified repair schedules, vessel readiness data, and in several cases nuclear propulsion maintenance records. Together, they form one of the most valuable intelligence target sets on the planet.

Maritime cyber incidents surged 103% in 2025 compared to the prior year, with DDoS, ransomware, and malware infections accounting for the majority of attacks [1]. Threat actors, including those linked to Chinese state-sponsored groups, are compromising subcontractors to pivot into main shipyard networks [1]. State-sponsored actors tied to China's Ministry of State Security (MSS) are behind the most sophisticated campaigns. At least three distinct Chinese cyber operations are well-positioned to target these facilities: APT40, Salt Typhoon, and Volt Typhoon. Each serves a different strategic function. Together they represent a layered threat to IT, OT, and supply chain environments across every yard in the fleet.

The Shipyard Target Set

West Coast and Pacific facilities carry outsized risk. PHNSY&IMF is a critical U.S. Navy dry dock facility capable of servicing nuclear submarines in the Pacific. It sits on Oahu's isolated electrical grid, sharing civilian power infrastructure with no redundant interconnect to the mainland. Puget Sound Naval Shipyard, the largest fleet maintenance complex on the West Coast, handles nuclear aircraft carrier and submarine refueling overhauls. Both yards are geographically exposed to disruption campaigns targeting Hawaii and Pacific Northwest critical infrastructure.

On the East Coast, Norfolk Naval Shipyard and Portsmouth Naval Shipyard perform the bulk of submarine depot-level maintenance. Norfolk's proximity to Naval Station Norfolk, the world's largest naval base, makes it a high-value target for intelligence collection on carrier strike group readiness. Overseas, the Ship Repair Facility at Yokosuka, Japan, and maintenance detachments at Guam are forward-deployed targets. In 2023, Volt Typhoon accessed rail signaling and port operations in Guam [6], demonstrating that forward bases are already in the crosshairs.

These shipyards share common supply chain dependencies: subcontractors for specialized welding, pipe fitting, electronics calibration, and software maintenance. The 2025 maritime cyber data confirms that attackers first compromise relatively vulnerable subcontractors to pivot into main shipyard networks [1]. A breach at a single subcontractor serving multiple yards could provide lateral access to classified maintenance systems across the enterprise.

APT40 (Leviathan): The Maritime Specialist

APT40, also tracked as Leviathan, is the most directly relevant threat actor. This group has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe. Active since at least 2014, APT40 is operated by the MSS Hainan State Security Department and has been linked to the Hainan Xiandun Technology Development Company front.

APT40's target list aligns precisely with the shipyard ecosystem: defense, government, maritime research, and naval contracting organizations. Their likely collection priorities include submarine maintenance schedules, repair timelines for specific vessel classes, and readiness data that would inform PLA Navy force planning. This intelligence has direct operational value. Knowing which submarines are in drydock at Puget Sound or undergoing reactor servicing at Pearl Harbor tells Chinese planners which boats are unavailable for deployment during a crisis window.

Salt Typhoon: Persistent Telecommunications Compromise

Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a critical threat to the communications backbone that connects shipyard personnel, contractors, and Navy command elements [2]. The FBI confirmed in February 2026 that Salt Typhoon threats remain active and ongoing [3].

The scale of compromise is significant. By August 2025, Salt Typhoon had compromised more than 200 organizations across 80 countries [3]. Nine U.S. telecom companies fell victim, including AT&T, Verizon, and T-Mobile [16]. Norway and Singapore confirmed all four of their national telecoms were breached [3]. Norwegian security agencies warned in 2026 of Salt Typhoon activity focused on breaching critical infrastructure and telecommunications networks [4]. CISA has confirmed overlap between Salt Typhoon activity and clusters tracked as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, all exploiting publicly known CVEs and compromised routing equipment [11].

Salt Typhoon's toolkit is built for persistence. The group uses GhostSpider, a multi-modular backdoor communicating over encrypted TLS channels with C2 servers [12][13]. Additional tools include SnappyBee (a modular backdoor shared among Chinese APT groups), Masol RAT (a cross-platform backdoor targeting Linux systems), JumbledPath (custom malware for network traversal), and the Demodex Windows kernel-mode rootkit for persistent remote control [16][12]. The group targets telecommunications, government, technology, defense contractors, transportation providers, and chemical manufacturers [3].

Salt Typhoon's relevance to naval shipyards is indirect but critical. By compromising the telecommunications infrastructure that shipyard workers, Navy officials, and contractors rely on daily, this group can intercept communications, map organizational relationships, harvest metadata, and identify high-value individuals. Salt Typhoon has targeted Internet Service Providers specifically to gather sensitive metadata and wiretap data [5]. In early 2024, Salt Typhoon exploited vulnerabilities in telecom infrastructure to proxy malicious traffic, obscure C2 operations, and stage within major U.S. telecom providers [6].

Volt Typhoon: Pre-Positioned for Destructive Action

Volt Typhoon represents the most alarming strategic threat to shipyard operations. This Chinese campaign was discovered embedded in U.S. water treatment facilities, power grids, communications networks, and transportation systems [9]. CISA and partner agencies observed Volt Typhoon maintaining access and footholds within some victim IT environments for at least five years [9].

The group's hallmark is living-off-the-land (LOTL) techniques, using legitimate system tools rather than custom malware to avoid detection [9][5]. Volt Typhoon focuses on U.S. communications infrastructure and has targeted the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors [9]. Intelligence indicates Chinese state-sponsored threat actors are preparing destructive cyberattacks during a future U.S.-China conflict [6].

Researchers warned in February 2026 that Volt Typhoon remains embedded in U.S. utilities [10]. Many water sector utilities will likely never reach the sophistication level needed to find and remove Volt Typhoon compromises [10]. The SYLVANITE access broker group has been observed handing off access to Volt Typhoon for further activity [10]. As one researcher stated, "we're going to have to live with the reality that a portion of our infrastructure is currently compromised and will remain compromised at the current trajectory of the community" [10].

This matters directly for shipyards. Hawaii's isolated electrical grid means PHNSY depends on the same power infrastructure serving civilian Oahu. Puget Sound Naval Shipyard draws from Pacific Northwest power grids. Norfolk relies on the Virginia electrical grid. A sustained power disruption to drydock operations during a critical submarine reactor servicing period doesn't require breaching the shipyard network itself. Volt Typhoon's documented presence in U.S. power grids [9][10] means shipyard operational capability can be held at risk from the outside.

The Expanding Chinese APT Constellation

Beyond the three primary groups, additional Chinese nexus actors are expanding the threat surface. Phantom Taurus, a newly identified Chinese APT, focuses on ministries of foreign affairs, embassies, geopolitical events, and military operations [8]. The group shares operational infrastructure with Iron Taurus, Starchy Taurus, and Stately Taurus [8]. UAT-8837, a China-nexus actor, has been targeting North American critical infrastructure organizations since 2025, using open-source tools to harvest credentials and Active Directory information [14]. Flax Typhoon leverages IoT devices for network access and botnet creation [5], a concern for the growing number of IoT-connected industrial systems in modern shipyards.

This constellation of actors creates a problem that is greater than the sum of its parts. Different groups collect different intelligence, compromise different infrastructure layers, and hand off access to one another. The SYLVANITE-to-Volt Typhoon handoff pattern [10] shows this coordination in practice.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting Guidance

Network-level indicators: Monitor for unusual PCAP file creation on routers and network equipment. CISA observed Chinese APT actors using naming conventions like mycap.pcap, tac.pcap, and 1.pcap on compromised routing infrastructure [11]. Alert on any packet capture file creation on production network devices.

Telecom-adjacent monitoring: Organizations that share telecommunications providers with naval installations should monitor for anomalous traffic patterns. Salt Typhoon relies on known vulnerabilities in VPN appliances, firewalls, and routers [3]. Audit all network edge devices for unpatched CVEs, focusing on Cisco, Fortinet, and Ivanti products.

LOTL detection for Volt Typhoon: Standard signature-based detection won't find Volt Typhoon. Hunt for anomalous use of wmic, ntdsutil, netsh, and PowerShell in environments where those tools aren't part of normal operations. Correlate with unusual scheduled tasks and service installations. Baseline legitimate administrative activity first.

DNS and C2 hunting: Query DNS logs for the C2 domains listed above. Example SIEM query: index=dns query IN ("newlylab.com", "reclubpress.com", "webdignusdata.com", "freedecrease.com") OR query="*.grishamarkovgf8936.workers.dev". Also hunt for TLS connections to palloaltonetworks.com (note the typosquat: two L's instead of one) [12].

Supply chain monitoring: Track all remote access connections from subcontractor networks. The 2025 maritime data confirms subcontractor compromise as a primary pivot method [1]. Require MFA and network segmentation for all third-party access. Log and alert on any new service accounts created by external entities.

File-based indicators: Hunt for the presence of BugSplatRc64.dll and WSPrint.dll in environments, particularly where BugSplat crash reporting isn't legitimately deployed [15]. Monitor for Earthworm tunneling tool execution and SharpHound deployment in Active Directory environments [14].

Analysis

The convergence of APT40's maritime specialization, Salt Typhoon's telecommunications penetration, and Volt Typhoon's critical infrastructure pre-positioning creates a threat model where U.S. naval shipyards can be targeted from multiple vectors simultaneously. Direct network intrusion through subcontractor compromise is the most likely initial access path [1]. Communications interception through telecom provider compromise provides collection on personnel and operations without touching shipyard networks [3][16]. Infrastructure disruption through power grid and water system compromise can degrade shipyard operations from the outside [9][10].

The geographic distribution of U.S. shipyards does not provide resilience against this threat. It expands the attack surface. West Coast and Pacific yards are exposed through one set of utility providers and telecom carriers. East Coast yards are exposed through another. Overseas facilities at Yokosuka and Guam face their own regional threat environments, with Guam already demonstrated as a Volt Typhoon target [6].

The FBI's February 2026 confirmation that Salt Typhoon remains active [3], combined with researcher warnings that Volt Typhoon is still embedded in U.S. utilities [10], means the threat is current and persistent, not theoretical.

References

[1] https://safety4sea.com/maritime-cyber-incidents-jumped-103-in-2025/

[2] https://www.picussecurity.com/resource/blog/salt-typhoon-telecommunications-threat

[3] https://www.vectra.ai/resources/vectra-ai-threat-briefing-salt-typhoon

[4] https://maritime-executive.com/article/norway-flags-russian-cyber-espionage-campaign-on-maritime-infrastructure

[5] https://rhisac.org/threat-intelligence/four-chinese-apt-groups-target-critical-infrastructure-disruption/

[6] https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/china-linked-cyber-operations-targeting-us-critical-infrastructure

[7] https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

[8] https://unit42.paloaltonetworks.com/phantom-taurus/

[9] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

[10] https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure

[11] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

[12] https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

[13] https://medium.com/@manish0x/insights-into-a-sophisticated-chinese-apt-targeting-critical-infrastructure-547e8e72da31

[14] https://blog.talosintelligence.com/uat-8837/

[15] https://blog.talosintelligence.com/uat-9244/

[16] https://www.hackthebox.com/blog/salt-typhoon-apt-us-telecom-espionage-attack-analysis

Hunt Guide: Hunt Report: Chinese APT Maritime Infrastructure Campaign

Hypothesis: If APT40, Salt Typhoon, or Volt Typhoon actors are active in our environment, we expect to observe Demodex rootkit artifacts, connections to thetavaluemetrics.com, ShadowPad/VELVETSHELL malware deployment, and exploitation of CVE-2024-20399 or CVE-2020-1472 in Windows Security, Sysmon, DNS, and network flow logs.

Intelligence Summary: Three coordinated Chinese APT campaigns are targeting Pearl Harbor Naval Shipyard with APT40 conducting maritime espionage, Salt Typhoon compromising telecommunications infrastructure, and Volt Typhoon pre-positioning in critical infrastructure. Maritime cyber incidents surged 103% in 2025 with these groups deploying Demodex rootkits, ShadowPad backdoors, and exploiting Cisco infrastructure vulnerabilities.

Confidence: High | Priority: Critical

Scope

• Networks: All DoD networks with focus on maritime facilities, shipyard IT/OT systems, and defense contractor networks with naval contracts
• Timeframe: Initial sweep: 90 days retrospective. Ongoing: Real-time monitoring with daily aggregation
• Priority Systems: Domain controllers, Cisco Nexus switches in OT environments, contractor VPN endpoints, naval facility SCADA systems, submarine maintenance workstations

MITRE ATT&CK Techniques

T1014 — Rootkit (Defense Evasion) [P1]

Salt Typhoon deploys Demodex Windows kernel-mode rootkit for persistent access and defense evasion in compromised telecommunications infrastructure

Splunk SPL:

index=windows sourcetype=sysmon EventCode=6 | eval suspicious_driver=if(match(ImageLoaded, "(?i)(demodex|unknown|unsigned)"), 1, 0) | where suspicious_driver=1 OR NOT match(Signed, "true") | stats count by ComputerName, ImageLoaded, Signed, SignatureStatus | where count>0

Elastic KQL:

event.code:6 AND (process.pe.original_file_name:*demodex* OR winlog.event_data.Signed:"false" OR winlog.event_data.SignatureStatus:("Expired" OR "Invalid" OR "Unknown"))

Sigma Rule:

title: Demodex Rootkit Driver Load Detection
id: a7c3d773-caef-227e-a7e7-c2f13c622329
status: experimental
description: Detects potential Demodex rootkit driver loading events
references:
    - Internal Research
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
    filter_unsigned:
        Signed: 'false'
    filter_suspicious:
        ImageLoaded|contains:
            - 'demodex'
            - '\Temp\'
            - '\Users\Public\'
    condition: selection and (filter_unsigned or filter_suspicious)
falsepositives:
    - Legitimate unsigned drivers during development
level: high

Monitor for unsigned kernel drivers or drivers loaded from suspicious paths. Demodex specifically operates as kernel-mode rootkit. Whitelist known good drivers in production.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

APT41 exploits CVE-2024-20399 in Cisco Nexus switches to deploy VELVETSHELL backdoor in network infrastructure

Splunk SPL:

index=network sourcetype=cisco:ios | rex field=_raw "(?<exploit_attempt>(CVE-2024-20399|VELVETSHELL|nexus.*exploit|unauthorized.*config))" | where isnotnull(exploit_attempt) | stats count by src_ip, dest_ip, exploit_attempt, _time | where count>0

Elastic KQL:

event.dataset:"cisco.ios" AND (message:*CVE-2024-20399* OR message:*VELVETSHELL* OR (message:*nexus* AND message:*exploit*) OR message:*unauthorized*config*)

Sigma Rule:

title: Cisco Nexus CVE-2024-20399 Exploitation Attempt
id: b3c3d773-caef-227e-a7e7-c2f13c622329
status: experimental
description: Detects exploitation attempts against Cisco Nexus switches via CVE-2024-20399
logsource:
    product: cisco
    service: ios
detection:
    selection:
        message|contains:
            - 'CVE-2024-20399'
            - 'VELVETSHELL'
            - 'configuration changed'
            - 'unauthorized access'
    timeframe: 5m
    condition: selection | count() > 3
level: critical

Focus on Cisco Nexus switches in OT environments. Monitor for configuration changes and unusual access patterns. Patch CVE-2024-20399 immediately.

T1105 — Ingress Tool Transfer (Command and Control) [P2]

APT41 transfers ShadowPad and Cobalt Strike payloads after initial compromise of maritime targets

Splunk SPL:

index=windows sourcetype=sysmon EventCode=11 | eval suspicious_file=if(match(TargetFilename, "(?i)(shadowpad|cobaltstrike|beacon|3proxy|tinyshell)"), 1, 0) | where suspicious_file=1 OR (match(TargetFilename, "\.bin$|\.dat$|\.tmp$") AND FileCreateTime=_time) | stats count by ComputerName, TargetFilename, ProcessName, ProcessId

Elastic KQL:

event.code:11 AND (file.name:(*shadowpad* OR *cobaltstrike* OR *beacon* OR *3proxy* OR *tinyshell*) OR (file.extension:(bin OR dat OR tmp) AND file.created:>now-1h))

ShadowPad often uses .bin or .dat extensions. Monitor for file creations in temp directories and unusual process-to-file relationships.

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

RansomHub exploits CVE-2020-1472 (Zerologon) for domain privilege escalation before ransomware deployment

Splunk SPL:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4742 | eval zerologon_attempt=if(match(ComputerName, "DC") AND match(PasswordLastSet, "1601-01-01"), 1, 0) | where zerologon_attempt=1 | stats count by ComputerName, TargetUserName, _time

Elastic KQL:

event.code:4742 AND winlog.event_data.PasswordLastSet:"1601-01-01*" AND host.name:*DC*

Zerologon sets computer password to empty/null. Look for password changes to epoch time (1601-01-01). Critical priority for domain controllers.

T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P1]

RansomHub deploys EDRKillShifter to terminate endpoint protection services before ransomware execution

Splunk SPL:

index=windows sourcetype=sysmon EventCode=1 | eval edr_killer=if(match(CommandLine, "(?i)(stop|disable|uninstall).*(defender|cylance|crowdstrike|sentinel|carbon|edr|av)"), 1, 0) | where edr_killer=1 OR match(Image, "(?i)edrkillshifter|data\.bin") | stats count by ComputerName, CommandLine, ParentImage, User

Elastic KQL:

event.code:1 AND (process.command_line:(*stop* OR *disable* OR *uninstall*) AND process.command_line:(*defender* OR *cylance* OR *crowdstrike* OR *sentinel* OR *carbon* OR *edr* OR *av*)) OR process.name:(*edrkillshifter* OR data.bin)

EDRKillShifter drops data.bin before execution. Monitor for service stops of security products and unsigned driver loads.

T1583 — Acquire Infrastructure (Resource Development) [P1]

Salt Typhoon registers domains like thetavaluemetrics.com for command and control infrastructure

Splunk SPL:

index=dns OR index=proxy | search query="*thetavaluemetrics.com*" OR dest_ip="74.91.125.57" | stats count by src_ip, query, dest_ip, _time | where count>0

Elastic KQL:

dns.question.name:*thetavaluemetrics.com* OR destination.ip:"74.91.125.57"

Direct IOC match for known Salt Typhoon infrastructure. Any connection is high confidence indicator of compromise.

T1219 — Remote Access Software (Command and Control) [P2]

Salt Typhoon deploys NetSupport RAT through spoofed verification pages for persistent remote access

Splunk SPL:

index=windows sourcetype=sysmon (EventCode=1 OR EventCode=3) | search process_name="*netsupport*" OR process_name="*client32.exe*" OR CommandLine="*NSM*" OR dest_port=5405 | stats count by ComputerName, process_name, dest_ip, dest_port

Elastic KQL:

(event.code:1 OR event.code:3) AND (process.name:*netsupport* OR process.name:*client32.exe* OR process.command_line:*NSM* OR destination.port:5405)

NetSupport is legitimate but commonly abused. Focus on unsigned versions and connections to non-corporate IPs.

T1091 — Replication Through Removable Media (Lateral Movement) [P2]

Maritime-focused APTs use USB-based infections to bridge air-gapped shipyard networks

Splunk SPL:

index=windows sourcetype=sysmon EventCode=1 | where match(CommandLine, "[A-Z]:\\") AND NOT match(CommandLine, "C:\\") | eval usb_exec=if(match(ParentImage, "explorer.exe") AND match(CommandLine, "(cmd|powershell|wscript|cscript)"), 1, 0) | where usb_exec=1 | stats count by ComputerName, CommandLine, CurrentDirectory

Elastic KQL:

event.code:1 AND process.command_line:/[D-Z]:\\.*/ AND process.parent.name:"explorer.exe" AND process.name:(cmd.exe OR powershell.exe OR wscript.exe OR cscript.exe)

Focus on executables launched from removable drives. Common in maritime/OT environments. Implement USB blocking policies.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dest="*thetavaluemetrics.com*" OR query="*thetavaluemetrics.com*" OR url="*thetavaluemetrics.com*") | stats count by index, sourcetype, src_ip, dest_ip | where count>0

index=* (dest_ip="74.91.125.57" OR src_ip="74.91.125.57") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | where count>0

index=* (filename="data.bin" OR file="data.bin" OR TargetFilename="*data.bin") | stats count by index, sourcetype, host, file_path | where count>0

YARA Rules

VELVETSHELL_Backdoor — Detects VELVETSHELL backdoor combining TinyShell and 3proxy used by APT41

rule VELVETSHELL_Backdoor {
    meta:
        description = "Detects VELVETSHELL backdoor - hybrid of TinyShell and 3proxy"
        author = "Threat Hunt Team"
        date = "2026-04-07"
        reference = "APT41 Cisco Nexus targeting"
    strings:
        $tinyshell1 = "TinyShell" ascii wide
        $tinyshell2 = {54 69 6E 79 53 68 65 6C 6C}
        $proxy1 = "3proxy" ascii wide
        $proxy2 = {33 70 72 6F 78 79}
        $cisco1 = "cisco" nocase
        $cisco2 = "nexus" nocase
        $net1 = "bind" fullword
        $net2 = "listen" fullword
        $net3 = "SOCK_STREAM"
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        (2 of ($tinyshell*) or 2 of ($proxy*)) and
        any of ($cisco*) and
        2 of ($net*)
}

Demodex_Rootkit — Detects Demodex Windows kernel-mode rootkit used by Salt Typhoon

rule Demodex_Rootkit {
    meta:
        description = "Detects Demodex kernel-mode rootkit used by Salt Typhoon"
        author = "Threat Hunt Team"
        date = "2026-04-07"
        reference = "Salt Typhoon telecommunications campaign"
    strings:
        $driver1 = {4D 5A 90 00 03 00 00 00} // MZ header
        $driver2 = "\\Device\\" wide
        $driver3 = "\\Driver\\" wide
        $rootkit1 = "ZwQuerySystemInformation" ascii
        $rootkit2 = "KeServiceDescriptorTable" ascii
        $rootkit3 = "ObRegisterCallbacks" ascii
        $demodex1 = "demodex" nocase
        $demodex2 = {64 65 6D 6F 64 65 78}
    condition:
        $driver1 at 0 and
        all of ($driver*) and
        2 of ($rootkit*) and
        any of ($demodex*)
}

EDRKillShifter_Ransomware — Detects EDRKillShifter tool used by RansomHub to disable endpoint protection

rule EDRKillShifter_Ransomware {
    meta:
        description = "Detects EDRKillShifter used to disable EDR before ransomware"
        author = "Threat Hunt Team"
        date = "2026-04-07"
        reference = "RansomHub ransomware campaigns"
    strings:
        $filename = "data.bin" fullword
        $edr1 = "CrowdStrike" nocase
        $edr2 = "Defender" nocase
        $edr3 = "Cylance" nocase
        $edr4 = "SentinelOne" nocase
        $kill1 = "TerminateProcess" ascii
        $kill2 = "NtTerminateProcess" ascii
        $kill3 = "ZwTerminateProcess" ascii
        $driver1 = "SeLoadDriverPrivilege" ascii
        $driver2 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" wide
    condition:
        uint16(0) == 0x5A4D and
        $filename and
        2 of ($edr*) and
        any of ($kill*) and
        any of ($driver*)
}

Suricata Rules

SID 2100001 — Detects DNS queries to Salt Typhoon C2 domain thetavaluemetrics.com

alert dns any any -> any any (msg:"ET TROJAN Salt Typhoon DNS Query to thetavaluemetrics.com"; dns.query; content:"thetavaluemetrics.com"; nocase; classtype:trojan-activity; sid:2100001; rev:1;)

SID 2100002 — Detects traffic to Salt Typhoon C2 IP 74.91.125.57

alert ip any any -> 74.91.125.57 any (msg:"ET TROJAN Salt Typhoon Traffic to Known C2 IP"; classtype:trojan-activity; reference:url,github.com/salt-typhoon-iocs; sid:2100002; rev:1;)

SID 2100003 — Detects potential VELVETSHELL backdoor traffic patterns

alert tcp any any -> any [22,23,443,8080,8443] (msg:"ET TROJAN Potential VELVETSHELL Backdoor Traffic"; flow:established,to_server; content:"User-Agent|3a 20|3proxy"; http_header; classtype:trojan-activity; sid:2100003; rev:1;)

SID 2100004 — Detects NetSupport RAT default port communication

alert tcp any any -> any 5405 (msg:"ET TROJAN NetSupport RAT Default Port Activity"; flow:established,to_server; classtype:trojan-activity; reference:url,darktrace.com/salt-typhoon; sid:2100004; rev:1;)

Data Source Requirements

Sources

• Maritime cyber incidents jumped 103% in 2025 - SAFETY4SEA
• Tactics, Techniques, and Procedures of Indicted APT40 Actors - CISA
• Cybersecurity in the Marine Transportation System - Federal Register
• We Aren't Clashing into a Cyber Pearl Harbor; but Sleepwalking into a Cyber Sarajevo - Stanford FSI
• Salt Typhoon - Wikipedia
• Cyber Threats Surge Against Maritime Industry in 2025 - Cyble
• Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide - CISA
• Salty Much: Darktrace's take on a recent Salt Typhoon intrusion
• APT41 compromised Taiwanese research institute with ShadowPad and Cobalt Strike - Talos Intelligence
• APT Quarterly Highlights Q3 2024 - CYFIRMA
• StopRansomware: RansomHub Ransomware - CISA
• RansomHub's Rise: RaaS Market Insights - Darktrace
• How RansomHub Uses EDRKillShifter - Trend Micro