Silent Push, a cybersecurity intelligence firm, has uncovered 45 previously unreported domains linked with Salt Typhoon, with part of the infrastructure overlapping with UNC4841. Significantly, UNC4841 leveraged a high-severity zero-day flaw in Barracuda Email Security Gateway (CVE-2023-2868, CVSS score 9.8) to infiltrate targeted networks. Salt Typhoon’s past campaigns gave the group access to metadata on over a million U.S. mobile users as well as systems handling lawful wiretaps.
Methodology:
After patching the exploited flaw, researchers uncovered Salt Typhoon’s sophisticated domain infrastructure through detailed analysis of SOA records and WHOIS data. The actors registered domains using multiple ProtonMail accounts linked to fake personas, such as Tommie Arnold, Monica Burch, and Shawn Francis, often using fake addresses. Some of these domains overlap with UNC4841 infrastructure, which is registered through a different ProtonMail account filled with random characters, with registrations dating back to May 2020. Several of these domains served as command and control (C2) servers for malware, including Demodex, Snappybee, and Ghostspider, while others were parked or inactive. One domain, newhkdaily[.]com appeared to mimic a Hong Kong newspaper, though its exact purpose, whether impersonation, psyop, or propaganda, remains unclear.
The Impact:
These hidden infrastructures uncovered a vast network of operations, allowing threat actors to intercept sensitive communication metadata and threatening both personal privacy and national security. The shared infrastructure between Salt Typhoon and UNC4841 points out the overlapping tactics, techniques, and procedures (TTPs), further complicating detection and defense measures.
Patch Deployment and Residual Threats:
While Barracuda released a patch for CVE-2023-2868, the flaw UNC4841 was exploited to deliver tailored malware. Patching this flaw only addresses part of the problem. Silent Push notes that parts of Salt Typhoon’s legacy infrastructure remain online, some active, some parked, and others sinkholed, underscoring that patching alone cannot mitigate the broader espionage risk. This highlights that relying solely on patching is insufficient to fully counter the ongoing espionage campaign.
Campaign Analysis and Recommendations:
Salt Typhoon has carried out a covert, long-term espionage campaign since at least May 2020. This includes the February 2025 breach of a Canadian telecom exploiting a Cisco IOS XE vulnerability. The group’s activities show how Chinese state-sponsored actors exploit unpatched systems, register minor domains, and utilize ostensibly benign online assets to execute sophisticated, persistent attacks. These findings underscore the need for continuous infrastructure monitoring and robust sharing of threat intelligence.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
