Unmasking Salt Typhoon: A Report Exposes 45 New Domains from a Chinese APT Group
Ddos 
Threat analysts at Silent Push have identified dozens of previously unreported domains tied to Salt Typhoon, a Chinese state-backed advanced persistent threat (APT) group best known for its global espionage campaigns targeting telecoms and ISPs.
Silent Push notes that “Salt Typhoon is a Chinese threat actor believed to be operated by the PRC’s Ministry of State Security (MSS). This group has conducted numerous high-profile cyber-espionage campaigns against the United States, as well as against over 80 other countries across the world that are geopolitical competitors with China.”
The group, also tracked as GhostEmperor, FamousSparrow, Earth Estries, and UNC2286, rose to prominence during 2024 when it breached at least nine U.S. telecom companies and multiple international carriers. These intrusions provided access to sensitive metadata from more than a million U.S. mobile users and even systems used for lawful wiretapping.
Silent Push’s investigation uncovered 45 domains registered between 2020 and 2025, most of which had not been publicly linked to APT activity before. The research team explained: “Our team has identified key domain registration patterns in the publicly reported command and control (C2) infrastructure, which enabled us to discover additional domains that we assess, with high confidence, were set up for either Salt Typhoon or another closely related China-backed threat actor.”
Many of these domains were tied to ProtonMail addresses composed of gibberish strings, paired with fake registrant identities using U.S. names and non-existent addresses — a pattern Silent Push analysts highlight as deliberate obfuscation.
Silent Push also reported overlaps with UNC4841, another Chinese APT most infamous for exploiting the Barracuda Email Security Gateway zero-day in 2023. “UNC4841 shares overlapping technical infrastructure with Salt Typhoon, and appears to have similar government and corporate targeting, raising questions about additional connections between these Chinese APT groups.”
WHOIS and DNS records linked to UNC4841 showed similar registration tactics: ProtonMail accounts with random character strings, paired with false U.S. identities and addresses.
The Silent Push team emphasized the value of infrastructure analysis, noting that “APT groups are often unaware of how their infrastructure management patterns can be used to track them.” By examining WHOIS records, SOA records, and DNS pivots, they connected domains to campaigns using malware families such as Demodex rootkit, Snappybee, and Ghostspider backdoors.
Some domains even masqueraded as news outlets — for example, newhkdaily[.]com appeared to be a Hong Kong media site, raising questions about its role in propaganda or psychological operations.
The research highlights both Salt Typhoon’s persistence and its long-term planning. The earliest domains date back to May 2020, well before the widely reported 2024 intrusions, showing that the group has maintained a multi-year infrastructure strategy.
Related Posts:
- Canadian Hacker Indicted for $65 Million DeFi Exploit
- FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
- State Secrets for Sale: China’s “Hack-for-Hire” Ecosystem Exposed in Massive VenusTech & Salt Typhoon Leaks
- Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
Donate