SALTY SPIDER is a cybercrime group identified in public reporting and in the Five Eyes joint advisory AA22-110A, “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.” The content states that SALTY SPIDER develops and operates the Sality botnet. It is described as a Russia-aligned cybercrime group and is listed alongside other Russia-aligned groups including The CoomingProject, Killnet, Mummy Spider, Scully Spider, Smokey Spider, Wizard Spider, and the Xaknet Team. The advisory states that such Russia-aligned cybercrime groups pose a threat to critical infrastructure organizations, and that some publicly pledged support for Russia after the February 2022 invasion of Ukraine and threatened cyberattacks against countries or entities that attack Russia or support Ukraine. No additional aliases, sub-groups, or specific tactics and techniques for SALTY SPIDER beyond operation of the Sality botnet are directly provided in the content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named threat actor referenced in global threat reporting.
Russian cybercriminal group highlighted in the alert as part of the broader Russian cyber threat landscape.
Russian cybercrime group listed as posing a threat to foreign targets and critical infrastructure in the context of the Ukraine war.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.