45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage
Summary:
Threat hunters have uncovered 45 domains linked to Chinese cyber espionage activity, with registrations stretching back more than five years. The infrastructure, tied to Salt Typhoon and UNC4841, demonstrates that Chinese state-backed operators have been quietly maintaining resources well before the high-profile 2024 campaigns targeting U.S. telecommunications providers. The earliest domain, was registered in May 2020 using a fake identity, underscoring the group’s reliance on fabricated personas to obscure attribution. Investigators found overlaps between Salt Typhoon and UNC4841, a group infamous for exploiting a critical flaw in Barracuda ESG appliances (CVE-2023-2868, CVSS 9.8), suggesting shared resources or coordination between distinct but aligned Chinese operations. Some of the newly identified domains were registered using Proton Mail accounts and pointed to both high-density and low-density IP addresses, with the latter showing activity as early as October 2021
Security Officer Comments:
The research confirms that Salt Typhoon’s operations are part of a long-running espionage campaign, not isolated events, and highlights similarities with other MSS-linked clusters such as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. Silent Push emphasized that the infrastructure has been leveraged over years in support of persistent targeting efforts, urging organizations to conduct historical DNS log audits going back five years to detect past or ongoing compromise attempts. The reuse of infrastructure and domain registrations spanning several years suggests that Salt Typhoon and UNC4841 maintain long-term operational continuity, consistent with Chinese MSS-linked espionage groups. The overlaps with clusters like Earth Estries and GhostEmperor further demonstrate Beijing’s broad and persistent cyber campaigns against telecoms and other strategic targets. The use of Proton Mail and fake personas for domain registration shows a deliberate attempt to mask attribution while sustaining operations over time. Organizations should recognize that even “older” infrastructure may still be relevant in ongoing or future campaigns.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/09/45-previously-unreported-domains-expose.html
https://www.silentpush.com/blog/salt-typhoon-2025/
Threat hunters have uncovered 45 domains linked to Chinese cyber espionage activity, with registrations stretching back more than five years. The infrastructure, tied to Salt Typhoon and UNC4841, demonstrates that Chinese state-backed operators have been quietly maintaining resources well before the high-profile 2024 campaigns targeting U.S. telecommunications providers. The earliest domain, was registered in May 2020 using a fake identity, underscoring the group’s reliance on fabricated personas to obscure attribution. Investigators found overlaps between Salt Typhoon and UNC4841, a group infamous for exploiting a critical flaw in Barracuda ESG appliances (CVE-2023-2868, CVSS 9.8), suggesting shared resources or coordination between distinct but aligned Chinese operations. Some of the newly identified domains were registered using Proton Mail accounts and pointed to both high-density and low-density IP addresses, with the latter showing activity as early as October 2021
Security Officer Comments:
The research confirms that Salt Typhoon’s operations are part of a long-running espionage campaign, not isolated events, and highlights similarities with other MSS-linked clusters such as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. Silent Push emphasized that the infrastructure has been leveraged over years in support of persistent targeting efforts, urging organizations to conduct historical DNS log audits going back five years to detect past or ongoing compromise attempts. The reuse of infrastructure and domain registrations spanning several years suggests that Salt Typhoon and UNC4841 maintain long-term operational continuity, consistent with Chinese MSS-linked espionage groups. The overlaps with clusters like Earth Estries and GhostEmperor further demonstrate Beijing’s broad and persistent cyber campaigns against telecoms and other strategic targets. The use of Proton Mail and fake personas for domain registration shows a deliberate attempt to mask attribution while sustaining operations over time. Organizations should recognize that even “older” infrastructure may still be relevant in ongoing or future campaigns.
Suggested Corrections:
- Audit DNS logs for the past five years for the identified domains, subdomains, and related IPs.
- Block and monitor traffic to domains associated with Salt Typhoon and UNC4841 infrastructure.
- Review Barracuda ESG appliances and ensure patches are applied for CVE-2023-2868, while monitoring for any lingering compromise indicators.
- Harden email defenses to detect suspicious attachments or domain spoofing attempts tied to Chinese APT groups.
- Implement continuous threat intelligence integration to track evolving overlaps between China-linked clusters and proactively update detection rules.
Link(s):
https://thehackernews.com/2025/09/45-previously-unreported-domains-expose.html
https://www.silentpush.com/blog/salt-typhoon-2025/