Silent Push Detects Salt Typhoon Infrastructure Months Before It Went Live, New IOFA™ Feeds Provide Customers With Early Detection Ahead of Operational Use
Back in June, Silent Push provided our enterprise customers with unpublished infrastructure related to the Chinese APT group Salt Typhoon, giving our customers the early visibility and historical reach-back they needed for both security and their own investigations. At the time, our team flagged the infrastructure due to low-density IP associations, technical fingerprints we are still unable to fully disclose, and operational patterns consistent with Salt Typhoon and other Chinese APT actors’ campaigns.
Background: Also referred to as “GhostEmperor,” “FamousSparrow,” “Earth Estries,” and “UNC2286”, Salt Typhoon is a Chinese threat actor believed to be operated by the PRC’s Ministry of State Security (MSS). This group has conducted numerous high-profile cyber-espionage campaigns against the United States, as well as against over 80 other countries across the world that are geopolitical competitors with China.
Several months later in October, Darktrace referenced Silent Push in their findings of initial access, confirming that the domain, “aar.gandhibludtric[.]com (38.54.63.75)”, was observed in active use as a Command-and-Control (C2) host for a compromised endpoint.
According to their report, Salt Typhoon leveraged LightNode VPS infrastructure, using both HTTP and a custom TCP protocol to communicate. Their HTTP traffic included POST requests with Internet Explorer user agents and URI patterns like /17ABE7F017ABE7F0, aligning with known Salt Typhoon behavior.
The domain found by Darktrace, aar.gandhibludtric[.]com, was first seen by Silent Push resolving to 38.54.63.75 in early May 2025. This domain initially stood out to us as part of a cluster of novel setups indicating threat actor preparation. Our latest findings, and the commendable work by Darktrace, have only confirmed this.
| Domain | Observation Timeframe and Related Low-Density IP Address |
| aar.gandhibludtric[.]com | 2025-05-05 to 2025-06-05— 38.54.63.75 |
We are now comfortable releasing our latest breakthrough to the public:
New IOFA™ Feeds, available only to Silent Push Enterprise Customers, which provide ongoing, pre-emptive protection from Salt Typhoon and related Chinese APT threats!
Please note: for operational security reasons, and to ensure the continued safety of our customers, we are unable to publicly release any further details related to these threats. We encourage telecoms and other organizations concerned about possible intrusion by Chinese APT groups to reach out to us as soon as possible.
Why Telecoms Must Pay Attention
Salt Typhoon and related threat groups have a long history of targeting telecommunications and network operators, exploiting their position as gateways to vast volumes of sensitive data and traffic. Once inside a telecom network, attackers can intercept communications, move laterally across interconnected systems, and gain persistent access to downstream customers and infrastructure.
Telecom providers face unique challenges that make them attractive targets:
- Interconnected infrastructure: A compromise in one regional hub can provide access to multiple networks and partners.
- High data sensitivity: Subscriber metadata, location information, and signaling data are valuable to both espionage and financially motivated actors.
- Critical uptime requirements: Disruption, even for a short period, can have cascading national or commercial impacts.
- Complex vendor ecosystems: Threat actors often exploit third-party integrations, weak API controls, or overlooked test environments.
With the early visibility our IOFA™ feeds provide, telecom security teams could have detected and blocked domains like aar.gandhibludtric[.]com weeks to months before they were weaponized or appeared in public reporting. This type of proactive stance allows operators to:
- Prevent malicious traffic from reaching internal networks.
- Deploy targeted detections across DNS, proxy, and email gateways.
- Share validated threat intelligence internally and with trusted partners to strengthen collective defense.
It bears repeating that our telemetry is revealing new Salt Typhoon infrastructure, that has not yet been reported elsewhere, on an ongoing basis. Telecom organizations using Silent Push would already have had the information they needed to act on these types of indicators, enabling faster and more informed decisions with which to protect their networks and customers.
Read our public technical deep dive on this topic from September, here, and if your organization could have used that information back in June, reach out to us here.
Continuing to Track Salt Typhoon and UNC4841
Silent Push will continue to track Salt Typhoon’s infrastructure and activity, adding any newly found domains and IP addresses to our Indicator of Future Attack (IOFA)™ feeds and sharing our technical findings and research with our customers. As noted earlier, we have shared as much information in this blog as we can at this time.
Our enterprise clients have access to additional technical information and insights on Salt Typhoon, UNC4841, and other related Chinese threat actors, and can look forward to a new report on our latest successes in the coming days.
If you or your organization has any information you would like to share about Salt Typhoon, UNC4841, or other Chinese-associated threat actor groups, we would love to hear from you.
See how teams enable preemptive cyber defense with Silent Push
Silent Push provides unmatched visibility into pre-operational threat actor activity. If you are responsible for defending telecom or carrier networks, schedule a short demo with our team to see how Silent Push can deliver early warning on emerging threats and malicious infrastructure.
