Cyber threat intelligence firm Silent Push has identified 45 previously unreported domains used by Salt Typhoon, a Chinese state-backed advanced persistent threat (APT) group, also known as GhostEmperor, FamousSparrow, Earth Estries, and UNC2286. The domains are believed to be part of a long-running campaign to gain long-term access to global organizations, particularly telecom infrastructure and internet service providers.
Salt Typhoon became widely known in 2024 after compromising at least nine major US telecommunications providers, as well as similar targets in over 80 countries, harvesting metadata on more than a million mobile users, including sensitive data on US politicians, and accessing systems used for court-authorized wiretapping.
The newly identified domains date back as far as May 2020, suggesting that Salt Typhoon’s operations have been active far longer than previously confirmed. The domains were discovered through analysis of WHOIS and Start of Authority (SOA) records, uncovering patterns in ProtonMail-based registrant emails and fake identity registrations tied to multiple infrastructure clusters.
Among the more prominent email addresses used were:
-
sdsdvxcdcbsgfe@protonmail[.]com – tied to domains used in “campaign Alpha”
-
oklmdsfhjnfdsifh@protonmail[.]com – linked to infrastructure supporting the Demodex rootkit
-
oookkkwww@protonmail[.]com – associated with a separate campaign cluster
Silent Push’s researchers also observed infrastructure overlaps between Salt Typhoon and UNC4841, another China-linked APT group known for exploiting a zero-day vulnerability in Barracuda’s Email Security Gateway during a 2023 campaign. The shared tactics, techniques, and procedures (TTPs), combined with common registrant infrastructure, suggest a deeper operational or organizational connection between the two groups.
Researchers noted that all the identified domains were registered using fake personas and non-existent addresses. The fake identities were linked to SOA records and email addresses used across different campaigns patterns, which helped researchers in mapping the infrastructure.
“APT groups are often unaware of how their infrastructure management patterns can be used to track them. As a result, SOA records can provide crucial insight into even advanced groups. This is because domains registered at the same registrar simultaneously are often assigned the same SOA record, meaning a search against them can return related infrastructure spun up by the same actor,” Silent Push said.
For more details, read the full report here.