Source: Pixels Hunter via Shutterstock
Researchers have discovered a group of 45 domains, some dating back to 2020, linked to notorious Chinese threat actor Salt Typhoon and other related China-backed groups, which have used them in cyberespionage efforts to obtain long-term, stealthy access to targeted organizations.
Researchers from security firm Silent Push have identified the previously unreported domains — registered by people using pseudonyms and fake addresses — linked not only to Salt Typhoon but also another China-backed actor, UNC4841. The two groups have overlaps in infrastructure, Silent Push revealed in a report published Monday, and appear to be using the domains in cyber-espionage efforts at the behest of the People's Republic of China (PRC).
"Our team has identified key domain registration patterns in the publicly reported command and control (C2) infrastructure, which enabled us to discover additional domains that we assess, with high confidence, were set up for either Salt Typhoon or another closely related China-backed threat actor," reads to the report. "We found a total of 45 domain names, the majority of which have not been previously linked to APT activity."
Salt Typhoon — linked to the PRC's Ministry of State Security (MSS) and also known by the names GhostEmperor, FamousSparrow, UNC2286, and others — rose to notoriety last year when it targeted various telecommunications providers in a widespread, high-profile threat campaign. UNC4841, meanwhile, is known for exploiting a vulnerability in Barracuda email security appliances in 2023 to gain access to networks.
Related:Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT'
While the domains identified by Silent Push — all of which are listed in the post — likely are no longer being used by the threat actors, the researchers still believe that "all domains associated with Salt Typhoon and UNC4841 present a significant level of risk," according to the post.
"Proactive measures are essential to defend against this evolving threat," according to Silent Push, which encouraged other researchers to compare their telemetry and logs against the 45 domains to improve the collective understanding of the threat groups.
Tracking Down Malicious Domains
The researchers' jumping off point for identifying the domains was a blog post published last November by Trend Micro, which tracks Salt Typhoon as Earth Estries, that included C2 hostnames for three pieces of malware used by the group: the Demodex rootkit, as well as the Snappybee and Ghostspider backdoors.
By using the WHOIS data source, Silent Push noticed "some interesting patterns," in that many of the domains associated with the malware had been regsitered using a a ProtonMail[.]com email address. Further digging led them down the rabbit hole of at least 45 domains eventually tied to Salt Typhoon and UNC4841, the researchers said.
Related:Scammers Are Using Grok to Spread Malicious Links on X
The oldest domain identified as being part of China-backed APT campaigns is onlineeylity[.]com, registered on May 19, 2020, by "Monica Burch," who purports to live at the fake address of 1294 Koontz Lane in Los Angeles.
Another fake persona claiming to live in Miami, Shawn Francis, registered a separate group of nine other domains — asparticrooftop[.]com, cloudprocenter[.]com, e-forwardviewupdata[.]com, fitbookcatwer[.]com, hateupopred[.]com, shalaordereport[.]com, verfiedoccurr[.]com, waystrkeprosh[.]com, and xdmgwctese[.]com. Two others, incisivelyfut[.]com and sinceretehope[.]com, also were registered by a person who doesn't exist; in this case, Tommie Arnold, who claims to live at yet another fake address, 1729 Marigold Lane in Miami.
"Even so, sharing unique, fake address details gives us a reasonable degree of certainty that the domains themselves are all related infrastructure set up by the same actor," Silent Push said in the report. "The use of a seemingly innocuous English name combined with a nonexistent address in the US" also is a pattern that the researchers tracked to the China-backed actors, according to Silent Push.
Related:Why Threat Hunting Should Be Part of Every Security Program
As mentioned, Salt Typhoon and UNC4841 appear to have ceased all activity tied to the domains, according to Silent Push. However, there is one, chekoodver[.]com, that hints at new activity by UNC4841, the researchers said.
"This domain was registered on April 30, 2025, through the persona 'Geralyn Pickens' and with the email address ethdbnsnmskndjad55@protonmail[.]com, which is linked to UNC4841," according to the post. "It is the first new addition to the list since October 2023 and may suggest renewed activity."
Chinese Espionage Efforts Persist
Salt Typhoon is emerging as one of the most formidable China-backed adversaries in history. Last year's discovery of massive breaches of telecommunications companies across the globe — alongside various other attacks by the group — rocked the global security world well into 2025. Indeed, repercussions from that breach are still being felt as government officials, including those in the US, continue to ponder how to respond to the group's persistent cyber-espionage activities.
In light of this, defenders should take any of Salt Typhoon's moves as well as its alignment with other powerful PRC threat actors, very seriously, and comb their networks for any activity related to the newly revealed domains, according to Silent Push. The company stressed that Salt Typhoon actors had access to some telecom networks for a year before they were detected.
"As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains," reads the report. "It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them."