Threat Intelligence Tarot
Vol. II · 118
China
risk 4/5
The Threshold Walker
Liminal Panda
Telecom intrusion cluster
Mobile network operatorsTelecom core infrastructureSouth AsiaSoutheast AsiaAfrica
Active since ~2020 · Telecommunications espionage, Subscriber surveillance, Protocol-level intelligence
The Threshold Walker lives in the seams of the network — between operator and operator, between subscriber and signal. Mobile traffic is not encrypted to its eyes; it is merely staged.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1133
External Remote Services
Initial Access
T1078
Valid Accounts
Persistence
T1110
Brute Force
Credential Access
T1071.001
Web Protocols
Command and Control
T1090
Proxy
Command and Control
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • CrowdStrike public disclosure at Fal.Con 2024
  • SIGTRAN and GTP protocol abuse against mobile core networks
  • SIGBE, CordScan, and SIGTRANslator malware
  • Carrier-hopping pivots between operators in the same region
Defenses
  • SS7/Diameter/GTP firewalling at network boundary
    GSMA FS.11
  • Multi-factor authentication on all telecom administrative interfaces
    NIST SP 800-63B
  • Anomaly detection on SIGTRAN and GTP traffic
    NIST CSF: DE.CM
  • Telecom inter-operator threat intelligence sharing
    GSMA T-ISAC
Reversed: Their Weakness
Telecom protocol-level firewalls (Diameter, SS7, GTP filtering) and inter-operator anti-fraud collaboration close the seams this walker depends on.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Tower of SparrowsNext →The Throne of Drivers
Related Adversaries
The Customs Officer
MoustachedBouncer
3 shared TTPs
The Throne of Drivers
GhostEmperor
3 shared TTPs
The Gate Merchant
Pioneer Kitten
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.