DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/APT
DMZ INTEL DESK//FILED: 2026-05-24//16:45Z
HIGH#apt

Salt Typhoon Expands to 80+ Countries with New TernDoor/PeerTime/BruteEntry Implants; South American Telecoms Now Targeted

China-nexus APT Salt Typhoon has significantly expanded its operational footprint in 2026, introducing three new implant families — TernDoor, PeerTime, and BruteEntry — and extending intrusions beyond the original US/European telecom focus to encompass networks in South America, with confirmed compromises now spanning more than 80 countries across telecom, transportation, and government sectors. The group's telecom-focused intrusion methodology enables passive interception of communications at the infrastructure level, with average dwell times measured in months before detection; Singapore's Cyber Security Agency mounted Operation CYBER GUARDIAN in response to related UNC3886 telecom intrusions, deploying over 100 cyber defenders. Defenders operating in telecom environments should prioritize hunting for the new implant families and audit edge device integrity, as Salt Typhoon's persistent access to carrier infrastructure represents an ongoing signals intelligence collection capability with no confirmed full eviction from compromised networks.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
salt-typhoon · china-apt · telecom-espionage · terndoor · peertime · bruteentry · unc3886 · signals-intelligence · south-america
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# APT
2026-05-26
Lazarus Group Deploys RemotePE Memory-Only RAT Against Crypto and Financial Firms; $577M Stolen YTD
# APT
2026-05-25
Operation Saffron: First VPN Dismantled — 33 Servers Seized, Ukrainian Admin Arrested, User Database Captured Exposing 25+ Ransomware Groups Including Avaddon and Phobos
# APT
2026-05-25
Ghostwriter (UAC-0057 / UNC1151) Deploys Novel OYSTERBLUES Implant Against Ukrainian Government via Prometheus Learning Platform Lures — Active Since Spring 2026
# APT
2026-05-24
Ghostwriter/UAC-0057 Resurfaces with OYSTERFRESH/OYSTERBLUES Malware Chain, Abusing Prometheus Learning Platform as Lure Against Ukrainian Government Targets