The Chinese state-sponsored hacker group known as Salt Typhoon has been targeting telecommunications companies in Southeast Asia with a previously unseen backdoor, according to researchers.

Salt Typhoon has been in the spotlight recently following a China-linked espionage campaign that compromised the networks of multiple U.S. telecom firms including Verizon, AT&T, Lumen Technologies and T-Mobile. The attackers reportedly accessed customer call record data, particularly targeting individuals involved in government or political activities.

In a report published Monday, cybersecurity firm Trend Micro detailed another campaign it attributed to Earth Estrie — the name they use to refer to Salt Typhoon — targeting the Southeast Asian telecom industry with a new backdoor called GhostSpider. The researchers noted that they weren’t able to directly link the campaign to the group’s recent attacks on U.S. telecom firms.

“Earth Estrie is a well-organized group with a clear division of labor,” Trend Micro stated in its report. “We speculate that attacks targeting different regions and industries are launched by distinct actors.”

Additionally, the infrastructure used in the attack suggests the group consists of various teams, “further highlighting the complexity of the group's operations,” the researchers added.

Salt Typhoon has successfully compromised over 20 organizations across various sectors, including telecom, technology, consulting, chemical and transportation industries in the U.S., Asia-Pacific, the Middle East and South Africa since 2023.

During a long-term espionage campaign against unnamed Southeast Asian telecom companies, the group deployed GhostSpider malware — a sophisticated, flexible, and adaptable multi-modular backdoor.

GhostSpider's modular design allows attackers to deploy or update different modules independently based on their needs, according to Trend Micro. This approach complicates detection and analysis, making it difficult for researchers to fully understand the malware’s functionality.

In addition to targeting the telecom industry, Salt Typhoon has also attacked state entities in Southeast Asia since August of this year. The hackers compromised Linux devices using the Masol remote access trojan, which has been in use since 2019 but has evolved over the years to target different operating systems.

According to Trend Micro, most of the victims in this campaign have been compromised for several years. “We believe that in the early stages, the attackers successfully obtained credentials and controlled target machines through web vulnerabilities,” researchers explained.

To gain initial access to victims’ devices, the group typically exploits flaws in public-facing servers. They then use legitimate tools or commands already present in the target system to move laterally within the network and deploy malware for long-term espionage.

Trend Micro described Salt Typhoon as “one of the most aggressive Chinese state hacker groups.”

Salt Typhoon’s campaign against the U.S. differed from that of another Chinese hacker group, Volt Typhoon, which recently embedded itself in critical infrastructure in ways that could potentially enable destructive actions.

However, Trend Micro noted that Salt Typhoon may share tools with other Chinese state-sponsored hackers, as their techniques and malware often overlap.