The Phaaaaaaaaantom of the Salt Typhoon is there, inside i-SOON
Daniel Schwalbe
BSidesSF 2026 · Day 1 · AMC Theatre 13
In this insightful talk, Daniel Schwalbe, Head of Investigations and CISO at DomainTools, unveils the intricate and evolving landscape of the Chinese state-sponsored threat actor, **Salt Typhoon**. Drawing heavily on the unprecedented 2024 **i-SOON GitHub leak** and extensive **Passive DNS** analysis, Schwalbe dissects the group's sophisticated operations, strategic objectives, and the burgeoning "industrialization" of state-backed cyber espionage through a contractor model. The presentation offers a critical look at how this threat actor targets vital infrastructure, particularly telecommunications and National Guard networks, and the innovative methods used by researchers to unmask their digital footprints.
AI review
Competent threat intel briefing that gets real mileage out of the i-SOON leak and Passive DNS pivoting, with some genuinely useful operational detail on Salt Typhoon's infrastructure patterns. Nothing here breaks new ground for anyone already tracking Chinese APT infrastructure, but it's honest research work rather than a vendor pitch dressed up as a talk.