Researchers at Silent Push have uncovered 45 domains tied to a China-linked hacking syndicate Salt Typhoon. Some of the domains date back to 2020 and were registered with fake US identities and ProtonMail accounts built from random characters. Silent Push analysts say these domains were designed for long-term access into telecoms and internet providers across more than 80 countries.
Beyond the malicious domains, it was also revealed that the group had overlapping domain infrastructure with UNC4841, the group linked to Barracuda exploits. The researchers believe this shared infrastructure is a testament to how Chinese espionage operators recycle resources across campaigns.
Techopedia spoke with Zach Edwards, Senior Threat Researcher at Silent Push, about how this infrastructure was built, what it reveals about coordination between groups, and why it matters for defenders.
Key Takeaways
- Salt Typhoon used at least 45 domains for long-term espionage.
- The oldest domains date back to May 2020.
- Silent Push found overlaps with UNC4841’s infrastructure.
- Fake US registrant identities and ProtonMail accounts tied the domains together.
- Defenders are urged to review five years of DNS logs for signs of exposure.
A Web of Domains Built for Long-Term China’s Espionage
Salt Typhoon has earned a reputation for going after some of the most sensitive parts of telecom infrastructure, from systems handling mobile metadata to those used for lawful wiretapping.
That reputation grew last year when the group breached at least nine major US telecom providers, reportedly gaining access to records on more than a million mobile users, including those of senior government and political figures. Reuters reported that Verizon, AT&T, Lumen Technologies, and Windstream were among those affected.
The newly uncovered domains highlight how Salt Typhoon sustains its reach. Silent Push believes the group favors long-lived infrastructure that can stay dormant in the background for years. That persistence, however, has also left behind registration trails that the analysts were able to track.
In a chat with Techopedia, Edwards said:
“Salt Typhoon has been launching some of the most sophisticated attacks against telecoms and ISPs the world has ever seen, and yet what these domains reveal is that even they have made consistency mistakes – i.e., distinguishable patterns – when registering their domains for the last nearly five years.”
The researchers also found that Salt Typhoon’s registration methods line up with those of UNC4841.
According to Edwards, this “alludes to connections between them, likely due to centralized training where similar methods are being taught.”
Silent Push findings also show that many of the domains were registered with ProtonMail accounts created from random characters and linked to fake US identities. Their strategy is such that malicious infrastructure is made to blend into a flood of legitimate records, which often leaves analysts to dig through a lot of noise.
Where Salt Typhoon Meets UNC4841
At the mention of UNC4841, what comes to mind is the exploitation of a zero-day vulnerability (CVE-2023-7102) in Barracuda’s email security gateways that began in October 2022 and peaked around May and June 2023. The campaign later spread into government and private-sector networks.
Silent Push found that Salt Typhoon and UNC4841 relied on similar processes when buying domains.
Edwards told Techopedia:
“The connections between Salt Typhoon and UNC4841 were interesting and quite specific. We found they used common processes when acquiring domains for their attacks, which points to common training received by both groups.
“It is also possible that one entity within this organizational structure is responsible for infrastructure setup that is later used by these offensive groups, though we have seen no direct evidence of this to date.”
Edwards pointed out that although attribution remains messy, the overlap in infrastructure suggests Chinese advanced persistent threat (APT) operators are sharing tools and methods. Edwards believes that a common foundation could give defenders a better chance of spotting exposure.
The impact of Salt Typhoon is not limited to US telecoms, as another report by Recorded Future’s Insikt Group has linked related activity to router exploits in Asia-Pacific universities in 2024 and 2025, showing that the same ecosystem can reach into education and research networks.
Domain Trails as a Defense Tool
Domain infrastructure is one of the few durable markers left behind by groups like Salt Typhoon. Malware may change overnight, but registration records and name server data stay visible long after campaigns end.
Edwards explained:
“APT groups move quickly, quietly, and without leaving many traces behind. When they do expose details about their operations, like with domain registration details, it’s crucial for defenders to focus on those fingerprints, looking for patterns and consistency issues so that we can map indicators of future attacks (IOFAs) instead of merely focusing on indicators of compromise (IOCs).”
He went further to explain the importance of mapping indicators of future attacks (IOFAs) for threat hunters, saying:
“IOFAs and acquiring active fingerprints for serious threat actors are the future of defense and should be the focus of every serious defender.”
Silent Push has urged organizations to review DNS logs covering the past five years and check against the 45 domains tied to Salt Typhoon and UNC4841. While many of these domains now appear dormant, they believe the fingerprints they carry can still help spot exposure elsewhere.
The Bottom Line
Salt Typhoon’s reliance on long-lived domains shows an operation built to last. The overlap with UNC4841 suggests that Chinese espionage groups are drawing on the same infrastructure pool, with resources carried forward across campaigns.
That continuity matters because it means old traces can point to future activity. As the researchers pointed out, long-term espionage leaves technical fingerprints that reappear across campaigns. Tracking how infrastructure is built and reused gives security teams a clearer view of the threat landscape and helps them prepare for what comes next.
FAQs
Silent Push identified 45 domains with consistent patterns, most not previously reported.
Domains leave registration and DNS trails that persist long after campaigns, and as such, help security teams to detect any exposures.
Analysts recommend reviewing DNS logs from 2019 to the present against the 45 domains Silent Push released.
References
- US adds 9th telcom to list of companies hacked by Chinese-backed Salt Typhoon cyberespionage (Reuters)
- Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data (Silent Push)
- RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providersn (Recorded Future)