Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data
Sensitive Topic Disclaimer
It’s extremely rare for our team to publicly share details on how we found the technical fingerprints for an Advanced Persistent Threat (APT) group. We are making these details public now due to our belief that these are legacy fingerprints unlikely to appear again. It’s been four months since these technical fingerprints uncovered a new website, and prior to that, the most recent website found with the fingerprints was from 2023.
Our goal for sharing these historical indicators is to provide value to organizations targeted by Salt Typhoon. Silent Push Enterprise customers have had access to the full report and archive exports on this topic, which contain yet-unreleased information, since June 2025.
Key Findings
- Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors.
- Best known for its global attacks against telecom-based infrastructure and Internet Service Providers (ISPs) in the U.S. and more than 80 other countries, Salt Typhoon’s successful malicious campaigns enabled it to gain access to metadata on more than a million U.S. mobile phone users as well as systems used to conduct court-authorized wiretapping.
- Our research team discovered a similar Chinese threat actor, UNC4841, known for exploiting a Barracuda vulnerability to gain unauthorized access to networks. UNC4841 shares overlapping technical infrastructure with Salt Typhoon, and appears to have similar government and corporate targeting, raising questions about additional connections between these Chinese APT groups.
- We are publishing this blog to further research into Salt Typhoon and related Chinese threat actors, and to encourage other researchers to check their telemetry and historic logs against these domains, which will help advance our collective understanding of these activities.
Executive Summary
Silent Push Threat Analysts have identified a group of previously unreported domains used by a group of closely linked Chinese APT actors, including Salt Typhoon. Active since at least 2019, this APT group is best known for a series of international hacking campaigns targeting telecom infrastructure and ISPs, primarily in the U.S. and across more than 80 other countries.
Our team has identified key domain registration patterns in the publicly reported command and control (C2) infrastructure, which enabled us to discover additional domains that we assess, with high confidence, were set up for either Salt Typhoon or another closely related China-backed threat actor. We found a total of 45 domain names, the majority of which have not been previously linked to APT activity.
The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group.
As our research began, we noted that other researchers had previously observed an overlap in infrastructure between Salt Typhoon and another China-associated threat actor, UNC4841, that exhibits similar behaviors. As a result, we are including our findings on UNC4841 in this blog as we continue to track this threat actor.
Finally, our team has identified additional infrastructure beyond that which is shared in this report. Due to operational security reasons related to the ongoing investigation, however, we are unable to share them at this time.
Table of contents
- Sensitive Topic Disclaimer
- Key Findings
- Executive Summary
- Sign Up for a Free Silent Push Community Edition Account
- Background
- Research Methodology
- Are We Running Out of Salt?
- IP Addresses
- Mitigating Significant Levels of Risk
- Sample Indicators Of Future Attack™ for Salt Typhoon and UNC4841
- Continuing to Track Salt Typhoon and UNC4841
Sign Up for a Free Silent Push Community Edition Account
Register now for our free Community Edition to use all the tools and queries highlighted in this blog.
Background
Salt Typhoon is a Chinese threat actor believed to be operated by the PRC’s Ministry of State Security (MSS). This group has conducted numerous high-profile cyber-espionage campaigns against the United States, as well as against over 80 other countries across the world that are geopolitical competitors with China.
Also referred to as “GhostEmperor,” “FamousSparrow,” “Earth Estries,” and “UNC2286,” Salt Typhoon is best known for a large-scale hacking campaign that targeted at least nine telecommunication companies in the United States, as well as many similar companies in other countries, during 2024.
In the U.S., these hacks provided Salt Typhoon with access to metadata on nearly every American, including some prominent politicians. The threat actor group was also able to access systems used to conduct court-authorized wiretapping.
Salt Typhoon is known to exploit numerous vulnerabilities, including zero-days, to gain access to networks targeted by the group. It is not known to conduct social engineering.
In 2021, cybersecurity company ESET reported that Salt Typhoon had exploited several remote code vulnerabilities in business software to gain unauthorized access to the internal systems of hotels, governments, and private companies worldwide.
UNC4841 is another China-linked threat actor, with Tactics, Techniques, and Procedures (TTPs) similar to those of Salt Typhoon. It is best known for a 2023 campaign that exploited a zero-day vulnerability in the Barracuda Email Security Gateway Appliance. As other cyber researchers have noted, and as we confirm in our own findings below, there is notable infrastructure overlap between Salt Typhoon and UNC4841.
Research Methodology
The targeted nature of these campaigns, as well as the use of vulnerabilities in public-facing servers, often means there are very few actionable indicators to work from. For instance, there are no publicly known phishing pages associated with the Salt Typhoon group, nor are there any known emails containing malicious links; it is possible that neither were used.
Even so, once inside a system, the next step an actor takes is generally to maintain persistence. They will deploy malware that requires a connection to an actor-controlled server to maintain this, and these indicators represent an avenue that defenders can use to check for infection as well as hunt for additional actor-controlled infrastructure.
In a November 2024 blog post on “Earth Estries,” its name for Salt Typhoon, security company Trend Micro included a list of such indicators. This list included C2 hostnames for three pieces of malware used by Salt Typhoon: the Demodex rootkit, as well as the Snappybee and Ghostspider backdoors.
WHOIS Searches
Examining the domains Trend Micro shared inside Silent Push’s Web Scanner, using the WHOIS data source, our team immediately noticed some interesting patterns. In particular, as seen in the screenshot below, many of the domains had been registered using a ProtonMail[.]com email address.
Web Scanner WHOIS Domain search query link
datasource = "whois" AND domain = ["clothworls.com,colourtinctem.com,dateupdata.com,hoovernamosong.com,infraredsen.com,lhousewares.com,materialplies.com,pulseathermakf.com,royalnas.com,solveblemten.com,stnekpro.com"]
Breaking this down further, specific emails were used to register multiple domains. For colourtinctem[.]com, materialplies[.]com, and solveblemten[.]com, all of which were linked to “campaign Alpha,” the associated email address was: sdsdvxcdcbsgfe@protonmail[.]com.
This string of characters, which appears to have been created by smashing the left side of the keyboard, is nonetheless a standout when combined with ProtonMail.
Examining “campaign Beta”, we found that for the domains dateupdata[.]com and infraredsen[.]com, which were used as the C2 server for the Demodex rootkit, the associated email address was: oklmdsfhjnfdsifh@protonmail[.]com. Again, a random string of gibberish.
Moving to the next domain, pulseathermakf[.]com, which was also part of that campaign, we found it was registered with the email address: oookkkwww@protonmail[.]com.
From here, we can attempt to see if any other domains have been registered with these unique email addresses using our WHOIS dataset in the Silent Push Web Scanner:
Web Scanner WHOIS Emails search query link
datasource = "whois" and email=[[email protected],[email protected],[email protected]]
Rexamining the Records
After some deduplication of the 126 total results, we find that this query results in several new domain names. A good start, but where else can we look? Examining the records again, our team noted that the three groups of domains don’t just share a registrant email address: each has its own unique registrant and registrant address, as seen below.
The email address “sdsdvxcdcbsgfe@protonmail[.]com” returns the domains incisivelyfut[.]com and sinceretehope[.]com. Examining them, we find that all of the domains linked to this email address were registered by one “Tommie Arnold” at “1729 Marigold Lane, Miami, FL, US”.
The email address “oklmdsfhjnfdsifh@protonmail[.]com” returns the domains clubworkmistake[.]com, newhkdaily[.]com, onlineeylity[.]com, toodblackrun[.]com, and unfeelmoonvd[.]com. Here, registration was performed by one “Monica Burch” at “1294 Koontz Lane, Los Angeles, CA, US.”
Finally, the email address “oookkkwww@protonmail[.]com” returns the domains asparticrooftop[.]com, cloudprocenter[.]com, e-forwardviewupdata[.]com, fitbookcatwer[.]com, hateupopred[.]com, shalaordereport[.]com, verfiedoccurr[.]com, waystrkeprosh[.]com, and xdmgwctese[.]com. The nine domains were registered by a “Shawn Francis” at “4858 Agriculture Lane, Miami, FL, US.”
On closer inspection, it appears each of the three “personas” is almost certainly fake. Additionally, none of the listed addresses exist. Even so, sharing unique, fake address details gives us a reasonable degree of certainty that the domains themselves are all related infrastructure set up by the same actor. The use of a seemingly innocuous English name combined with a nonexistent address in the US is a pattern that will also be relevant later.
One final note on one of the domains, newhkdaily[.]com in particular, is that it appears to be a Hong Kong newspaper. Whether this is an impersonation of a Hong Kong media source with which we are unfamiliar, a Psychological Operation (PSYOP) campaign, or simply a propaganda front is unclear at this time.
SOA Records
Knowing that our patterns here rely on the registration details, our team then took the next logical step to pull additional findings from our DNS data: Start of Authority (SOA) records*. Rarely worth consideration for benign, everyday internet users, SOA records are nonetheless a useful pivoting option for threat hunters looking for infrastructure with similar registration patterns.
*Note: An SOA record contains administrative information about a given domain and is only present for apex domains. It identifies the primary name server (MNAME), email address of the administrator (RNAME), a serial number that changes when zone data is updated, and other helpful information.
APT groups are often unaware of how their infrastructure management patterns can be used to track them. As a result, SOA records can provide crucial insight into even advanced groups. This is because domains registered at the same registrar simultaneously are often assigned the same SOA record, meaning a search against them can return related infrastructure spun up by the same actor.
Additionally, as noted above, SOA records contain an email address (in either the rname or mbox field, where the initial “@” is replaced by a dot), which is typically the domain registrant.
PADNS Search SOA Records Query
Bearing that in mind, our team turned to our “PADNS search SOA records” query, input one of the emails into the “mbox” field, and tested the results*:
*Note: For those following along, use either the direct link or remove the brackets from the mbox parameter below.
mbox = sdsdvxcdcbsgfe[.]protonmail[.]com
As you can see above, this query returns any domain with sdsdvxcdcbsgfe.protonmail[.]com in the mbox field of an SOA record. Confirming our prior searches, the results give the same five domains we saw through WHOIS, and we received similar results with oklmdsfhjnfdsifh.protonmail[.]com.
However, for oookkkwww.protonmail[.]com we found a new domain: followkoon[.]com. Notably, our team also observed that the domain fitbookcatwer[.]com was missing from the SOA records, which further emphasizes the importance of using both SOA records and WHOIS data when searching for actor infrastructure.
The UNC4841 Link
Searching OSINT for more information on these ProtonMail addresses, we found a presentation given by two authors of the aforementioned Trend Micro report at JPCERT’s JSAC conference in January 2025. The deck included a fourth email address, “ethdbnsnmskndjad55@protonmail[.]com,” which they linked to UNC4841.
WHOIS records give five domains related to this email address:
- chekoodver[.]com
- fessionalwork[.]com
- gesturefavour[.]com
- togetheroffway[.]com
- troublendsef[.]com
Using SOA records indicates the latter five domains, as well as componfrom[.]com, goldenunder[.]com, junsamyoung[.]com, and qatarpenble[.]com, for a total of nine domains, several of which have not been previously reported.
The WHOIS records are linked to one “Geralyn Pickens” at “1957 Trails End Road, Miami, FL, US.” As with the others, this address does not exist.
Trend Micro was not the first to link these domains to UNC4841, known for the Barracuda email gateway hack: Barracuda lists several of the domains as being linked, in particular:
- fessionalwork[.]com
- gesturefavour[.]com
- goldenunder[.]com
- togetheroffway[.]com
- troublendsef[.]com
Further Pivots
The four sets discussed above not only share corresponding WHOIS records ties, but are also linked to a person with an English name, using a non-existent but valid-looking address alongside a gibberish-looking ProtonMail address. Perhaps incidentally, all the domains also use the “.com” top-level domain (TLD).
Referring back to our SOA PADNS search from before, we now endeavor to find all the SOA records using the Advanced Query option to combine a ProtonMail address in the mbox value while also having a .com TLD for the domain, being sure to include a skip 1000 parameter to catch everything*:
PADNS SOA Records Protonmail Wildcard search query link
domain = *.com AND mbox = *.protonmail.com AND skip = 1000
*Note: The API for this query is limited to 1,000 results at a time, so this must be run with skip=1000, 2000, etc., to catch all values.
The final step involves parsing the resulting email addresses for matches that appear to be gibberish, followed by a WHOIS scan lookup to identify real-looking English names with non-existent (but seemingly valid) U.S. addresses.
Finding Three Additional Email Addresses
This results in three more ProtonMail email addresses, each tied to four to five domains.
First is: regfnasg258adc@protonmail[.]com, through which four domains were registered: chatscreend[.]com, gandhibludtric[.]com, getdbecausehub[.]com, and redbludfootvr[.]com. Notably, the first two are only seen in SOA records, not in WHOIS. The registrant for the other two is “Kerry Gass” from “1890 Lamberts Branch Road, Miami, FL, US”.
Second is: thnzbakqmmznaql@protonmail[.]com, through which four domains were also registered: lookpumrron[.]com, morrowadded[.]com, ressicepro[.]com, and siderheycook[.]com. The registrant for all four domains in this group is “Trina Watson” of “371 Hill Street, Mansfield, OH, US”.
The last is: iumv983uv1idm90v2@protonmail[.]com, through which five domains were registered: aria-hidden[.]com, caret-right[.]com, col-lg[.]com, fjtest-block[.]com, and requiredvalue[.]com. These domains were registered by “Larry Smith” of “2424 Lowland Drive, Lena, IL, US”.
None of the addresses associated with these domains actually exist.
While these patterns are certainly suspect by themselves, there is a more reliable infrastructure pattern to note here: all the domains were using the same name servers used by the publicly referenced Salt Typhoon domains from our original seed of indicators:
- *.1domainregistry[.]com
- *.orderbox-dns[.]com
- *.monovm[.]com
- *.naracauva[.]com[.]ru
It is important to note here that, although we could have included these name servers in the SOA searches above, our team decided to keep the search broad, in case something was missed.
Another Suspicious Email Address
Another suspicious ProtonMail email address was found: zainmehe@protonmail[.]com. It has most of the patterns observed above, including a fake registrant address in the US: “224 Hiddenview Drive, Philadelphia, PA,” for one “Dereck Timbaland”).
One notable difference, however, was that a few of the domains use the “.uk” or “.net” TLDs, such as morrisonplc.co[.]uk and testlng[.]net. Moreover, at 117 domains linked to this email address (through various SOA and WHOIS searches), there are more than twice as many domains linked to this address as are linked to the other seven email addresses combined.
For this reason, and out of an abundance of caution, our analysts do not currently consider this email address, nor its associated domains, to be operated by the same actor.
Are We Running Out of Salt?
The previous searches returned 45 domains, many of which have not been linked to Salt Typhoon or any other Chinese threat actor. Those domains also date back five years, with the oldest domain, onlineeylity[.]com, registered on May 19, 2020, by the aforementioned “Monica Burch” persona.
Technically, the domain dateupdata[.]com is a month older, but it was registered through a privacy-preserving WHOIS service before being re-registered by Monica Burch in October 2021. It is possible that the older registration was unrelated.
Many of the domains have also been registered using similar services. In some instances, the domains were parked (for example, onlineeylity[.]com is still parked at the time of writing this blog (September 2025), while cloudprocenter[.]com, which was re-registered under a different name, is currently hosting a default web page.
Most of the domains mentioned in this blog have likely ceased to be used by the threat actor, at least for now, and in some cases, years ago.
IP Addresses
Our team also examined the IP addresses related to this activity, as indicated by DNS A records for any of the 45 domains identified above or their subdomains.
From our analysis, we noted that many of the domains pointed to high-density IP addresses, i.e., IPs to which a (very) high number of hostnames currently point, or have pointed. These include, but aren’t limited to, domain parking services.
Ordinarily, this would mean that the threat actor no longer controlled such an IP address. However, in this case, given both the advanced technical skill and considerable financial backing of the group, our team did not want to exclude the possibility that an actor operating the domain names had control over some of the high-density IP addresses we discovered, perhaps through a compromise of infrastructure.
Even so, the low-density IP addresses appear to be of most concern here. Thus, we compiled a list of all the low-density IP addresses observed in the DNS A records for any of the 45 domains related to Salt Typhoon, including its subdomains. We then paired them with the time period they were observed:
| Domains | Observation Timeframe and Related Low-Density IP Address |
|---|---|
| asparticrooftop[.]com | 2022-05-19 to 2023-05-17 — 172.93.165.13 |
| cloudprocenter[.]com | 2021-10-17 to 2021-11-19 — 92.38.160.50 2021-11-20 to 2021-12-09 — 165.154.230.21 2021-12-10 to 2021-12-14 — 172.93.189.6 2021-12-15 to 2022-06-28 — 91.245.255.13 2022-06-30 to 2022-07-17 — 91.245.255.72 2022-07-18 to 2022-07-24 — 92.38.139.216 2022-08-04 to 2022-08-04 — 172.93.189.207 |
| clubworkmistake[.]com | 2022-07-13 to 2022-08-10 — 203.20.113.208 2022-08-12 to 2022-08-16 — 96.9.211.4 2022-08-17 to 2024-10-09 — 91.245.255.36 |
| imap[.]dateupdata[.]com | 2024-08-08 to 2024-10-08 — 193.239.86.168 |
| followkoon[.]com | 2024-03-14 to 2025-03-13 — 103.113.85.216 |
| aar.gandhibludtric[.]com | 2025-05-05 to 2025-06-05 — 38.54.63.75 |
| hateupopred[.]com | 2021-11-12 to 2022-11-08 — 146.70.79.16 |
| infraredsen[.]com | 2024-12-03 to 2025-06-05 — 45.125.67.144 |
| pop3[.]materialplies[.]com | 2023-12-12 to 2025-06-05 — 103.159.133.251 |
| newhkdaily[.]com | 2022-07-21 to 2023-07-19 — 202.146.221.69 |
| pulseathermakf[.]com | 2022-04-26 to 2022-08-03 — 96.9.211.27 2022-08-04 to 2022-08-17 — 205.189.160.3 2022-08-17 to 2023-09-21 — 146.70.79.105 2023-09-21 to 2025-04-25 — 146.70.79.18 |
| shalaordereport[.]com | 2022-06-07 to 2022-06-22 — 172.93.165.12 2022-06-23 to 2022-07-25 — 146.70.79.48 |
| toodblackrun[.]com | 2022-07-21 to 2022-08-17 — 172.93.188.220 2022-08-17 to 2023-11-14 — 23.106.123.183 2023-11-16 to 2024-01-23 — 193.56.255.165 2024-01-25 to 2024-02-01 — 91.245.255.48 2024-02-03 to 2025-06-03 — 91.245.255.50 |
| unfeelmoonvd[.]com | 2023-02-10 to 2024-01-11 — 165.154.242.73 2024-01-12 to 2024-02-06 — 74.119.193.42 |
| verfiedoccurr[.]com | 2021-11-17 to 2022-11-15 — 27.255.81.107 |
| waystrkeprosh[.]com | 2021-12-23 to 2022-12-21 — 96.9.211.15 |
| xdmgwctese[.]com | 2022-07-16 to 2022-08-16 — 172.93.188.241 2022-08-29 to 2023-10-10 — 91.245.255.32 |
As a final note of interest, our team determined that some of the low-density IP addresses in this list also had domains that had started pointing to sinkholes*.
*Note: In cybersecurity, when malware researchers or law enforcement gain control of potentially malicious domains, they use a “sinkhole,” which is a controlled server, or set of servers, to route the domains away from the intended server and instead to a server where they can be isolated and safely analyzed. There are two types of sinkholes: DNS sinkholes (the most common) and IP sinkholes.
Mitigating Significant Levels of Risk
Silent Push believes all domains associated with Salt Typhoon and UNC4841 present a significant level of risk. Proactive measures are crucial in defending against this evolving threat.
Our analysts construct Silent Push Indicators Of Future Attack™ (IOFA™) Feeds, which provide our enterprise customers with pre-weaponization detection of criminal and APT infrastructure, expanding defenders’ awareness beyond simple IoCs.
The IOFA™ Feeds are available as part of a Silent Push Enterprise subscription. Enterprise users can ingest this data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Sample Indicators Of Future Attack™ for Salt Typhoon and UNC4841
- aar[.]gandhibludtric[.]com
- aria-hidden[.]com
- asparticrooftop[.]com
- caret-right[.]com
- chatscreend[.]com
- chekoodver[.]com
- cloudprocenter[.]com
- clubworkmistake[.]com
- col-lg[.]com
- colourtinctem[.]com
- componfrom[.]com
- dateupdata[.]com
- e-forwardviewupdata[.]com
- fessionalwork[.]com
- fjtest-block[.]com
- fitbookcatwer[.]com
- followkoon[.]com
- gandhibludtric[.]com
- gesturefavour[.]com
- getdbecausehub[.]com
- goldenunder[.]com
- hateupopred[.]com
- imap[.]dateupdata[.]com
- incisivelyfut[.]com
- infraredsen[.]com
- junsamyoung[.]com
- lookpumrron[.]com
- materialplies[.]com
- morrowadded[.]com
- newhkdaily[.]com
- onlineeylity[.]com
- pulseathermakf[.]com
- qatarpenble[.]com
- redbludfootvr[.]com
- requiredvalue[.]com
- ressicepro[.]com
- shalaordereport[.]com
- siderheycook[.]com
- sinceretehope[.]com
- solveblemten[.]com
- togetheroffway[.]com
- toodblackrun[.]com
- troublendsef[.]com
- unfeelmoonvd[.]com
- verfiedoccurr[.]com
- waystrkeprosh[.]com
- xdmgwctese[.]com
Continuing to Track Salt Typhoon and UNC4841
From a small set of publicly referenced domain names, our research team identified a larger grouping of domain names that we can assess with high confidence are used by an advanced China-linked cyberespionage actor, most likely Salt Typhoon or UNC4841.
These group(s) are known to focus on long-term access, so it wasn’t surprising to see when Bloomberg recently reported that Salt Typhoon was found to have breached a U.S. telecommunications provider a year before it became publicly known.
As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains. It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them.
While some of the domains may have been (re)used for legitimate activity, our team found little evidence to support this.
Silent Push will continue to track Salt Typhoon’s infrastructure and activity, adding any newly found domains and IP addresses to the relevant feeds and sharing any technical findings with our customers. We have shared as much information in this blog as possible within the opsec guidelines for public disclosure. Our enterprise clients have access to additional technical information and insights on Salt Typhoon, UNC4841, and other related Chinese threat actors.
If you or your organization has any information you would like to share about Salt Typhoon, UNC4841, or other Chinese-associated threat actor groups, we would love to hear from you.
