Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Summary
UPDATE 08/05/2025: During the last year, Salt Typhoon operations have prominently featured the exploitation of vulnerabilities in Cisco's IOS XE software, notably CVE-2023-20198 and CVE-2023-20273, to gain unauthorized access to network devices. These attacks have led to the compromise of a number of entities including major telecommunications providers in the United States, Canada, and South Africa, with the group breaching the satellite communications firm Viasat in early 2025 for instance. Beyond exploiting known vulnerabilities, Salt Typhoon also has a history of employing sophisticated techniques tied to malware that include deploying trojanized payloads for downloading additional tools, exfiltrating data or executing remote commands on a victim’s system. Furthermore, techniques that have been observed also involve the capture and exfiltration of data that can range from sensitive credentials, session tokens and information pertaining to the victim or the victim’s system. With these tactics, attackers are able to laterally move across networks, and leverage existing network tools and protocols to conduct malicious activities without triggering security alarms. The group's strategic focus on telecommunications infrastructure allows for extensive intelligence collection, including the interception of communications and monitoring of law enforcement activities, posing significant risks to national security.
Salt Typhoon is an APT threat actor that has most recently and publicly breached the systems of major United States based telecommunication providers (specifically ISPs) in September/October of 2023 - the networks affected by the breach included Verizon Communications, AT&T and Lumen Technologies. Considered to be an extremely damaging cyber espionage campaign, the threat actors claimed to have been entrenched in their systems for 'months'. The intrusion gave attackers access to proprietary intelligence and law enforcement data, exploiting systems used for what is understood as lawful wiretapping. The threat actor Salt Typhoon (also known as GhostEmperor, Famous Sparrow or UNC2286), has been active since 2020 and is operated by the Chinese Government to conduct cyber espionage campaigns against targets in North America, Southeast Asia, and Europe. It is also worthy to note that the industries that the threat actor has been observed to attack include telecommunications, government and information technology.
With the evolving cyber threat from entities based in China, this highly damaging attack on U.S. wiretap systems by Salt Typhoon, and the likely impending release of the techniques, tactics and procedures involved in the intrusion, it is important to ascertain and keep track of any information involving this threat group as more data is released.
TITAN References:
TITAN Spot Report: September 26, 2024
TITAN Spot Report: October 5, 2024
TITAN Intelligence Bulletin: July 3, 2025
TITAN Finished Intelligence Report: July 23, 2025
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!