Salt Typhoon Linked to UNC4841 Through 45 Newly Discovered Domains

• Salt Typhoon domains: Today, previously unreported Salt Typhoon-attributed domains registered between 2020 through early 2025 were disclosed.
• In numbers: Dozens of domains were identified by Silent Push as used by the APT and associated Chinese state-backed threat actors.
• Overlaps discovered: The report mentions the discovery of infrastructural overlaps with another Chinese threat actor, UNC4841.

Silent Push threat analysts have identified dozens of previously unreported domains utilized by the Salt Typhoon APT group and associated Chinese state-backed threat actors. This discovery provides new insights into the infrastructure supporting sophisticated, long-term espionage campaigns targeting global telecommunications and other critical sectors.

Research Findings and Infrastructure Links

The Silent Push research uncovered a network of domains designed to facilitate stealthy, persistent access to targeted organizations. “We're exposing this data publicly now due to our belief that these are legacy fingerprints unlikely to show up again,” the report said.

The newly identified domains represent a significant threat, providing these advanced persistent threat actors with the tools for ongoing intelligence-gathering operations. By publishing these findings, Silent Push aims to enhance the collective understanding of Salt Typhoon's tactics, techniques, and procedures (TTPs).

The report uncovered 45 domains, many of which have not been linked to Salt Typhoon or any other Chinese threat actor. 

After removing the duplicates, three groups of domains remained, which had their own unique registrants and registrant addresses, with closer inspection suggesting that each of the three “personas” is almost certainly fake. 

One of the domains, newhkdaily[.]com, appears to be a Hong Kong newspaper, but researchers cannot know whether it is “an impersonation of a Hong Kong media source, a Psychological Operation (PSYOP) campaign, or simply a propaganda front.”

In 2024, Trend Micro also published a list of indicators in included command and control (C2) hostnames for three strains of malware used by Salt Typhoon: 

• the Demodex rootkit
• the Snappybee backdoor
• the Ghostspider backdoor.

The investigation also revealed infrastructural overlaps between Salt Typhoon and another Chinese threat actor tracked as UNC4841. This group is known for exploiting a critical UNC4841 Barracuda vulnerability to gain initial network access. 

A total of nine domains were linked to UNC4841, several of which have not been previously reported.

The connection between their operational infrastructures suggests a close relationship or shared resources among these state-sponsored entities, prompting Silent Push to expand its tracking efforts to include UNC4841.

Salt Typhoon, also referred to as GhostEmperor, FamousSparrow, Earth Estries, and UNC2286, is notorious for its attacks against telecommunications infrastructure and Internet Service Providers (ISPs), which previously enabled the group to access metadata on over a million U.S. mobile phone users and systems used for court-authorized wiretapping.

Silent Push Comments

Zach Edwards, Senior Threat Analyst at Silent Push, told TechNadu that this research into Salt Typhoon revealed domains registered as far back as May 2020 with “clear patterns in the WHOIS domain registration data.” These include: 

• very specific quasi-gibberish Proton Mail email addresses 
• random English names
• the inclusion of randomized, nonexistent U.S. addresses

“By enriching domains found within historic logs from an organization’s network and comparing a given domain’s WHOIS registration data to the patterns above, a reader can treat any matches as red flags from which to spur further the investigation for ties to Salt Typhoon and other Chinese APT groups,” Edwards added.

He also mentioned missed opportunities to potentially stop these attacks sooner, highlighted by the consistent mistakes a prolific Chinese APT threat group has been making in their domain registrations for roughly five years.  

Cybersecurity Implications and Collaborative Defense

Security researchers and network defenders are encouraged to query their telemetry and historical log data against the newly disclosed indicators of compromise (IOCs). 

“It’s imperative that companies under threat by APTs like Salt Typhoon coordinate with defenders who have access to the proper tools and datasets that can be used to fingerprint web infrastructure so that these networks of malicious domains and IP addresses can be flagged before they are used in additional attacks,” Edwards recommended.

Silent Push researchers also encourage law enforcement and affected organizations to “share as many details about important attacks with the public and especially security companies.”

In July, TechNadu reported that investigators confirmed Salt Typhoon had infiltrated a U.S. state’s Army National Guard network from March 2024 to December 2024.