Salt Typhoon used dozens of domains, going back five years. Did you visit one?
(2025/09/08)
- Reference: 1757353626
- News link: https://www.theregister.co.uk/2025/09/08/salt_typhoon_domains/
- Source link:
Security researchers have uncovered dozens of domains used by Chinese espionage crew Salt Typhoon to gain stealthy, long-term access to victim organizations going back as far as 2020.
In a Monday [1]report , threat intelligence firm Silent Push said it had found 45 domains, the majority of which were previously unreported, that it has linked to Salt Typhoon or UNC4841, a similar group.
Salt Typhoon is the People's Republic of China spying gang that [2]hacked America's major telecommunications firms and [3]stole metadata and other information belonging to " [4]nearly every American," according to a top FBI cyber official who spoke with The Register about the intrusions.
[5]
UNC4841 is best known for a series of 2023 attacks that targeted [6]CVE-2023-2868 , a critical bug in some Barracuda Email Security Gateways, to deploy custom malware and [7]maintain access to high-value networks , about a third of which belonged to government organizations.
[8]
[9]
The threat researchers note that key domain registration patterns in Salt Typhoon's previously-reported command and control (C2) infrastructure helped them uncover the new domain names, several of which shared the same registrant - "almost certainly fake" personas including "Shawn Francis," "Monica Burch," and "Tommie Arnold," most using ProtonMail email addresses, and all of whom purportedly live in the US and have physical addresses that don't exist.
[10]FBI cyber cop: Salt Typhoon pwned 'nearly every American'
[11]FBI: Who was going around hijacking Barracuda email boxes? China, probably
[12]If you thought China's Salt Typhoon was booted off critical networks, think again
[13]Silent Push CEO on cybercrime takedowns: 'It's an ongoing cat-and-mouse game'
Interestingly, one of the domains appears to be a Hong Kong newspaper: newhkdaily[.]com. "Whether this is an impersonation of a Hong Kong media source with which we are unfamiliar, a Psychological Operation (PSYOP) campaign, or simply a propaganda front is unclear at this time," the researchers said.
Silent Push also identified nine domains linked to UNC4841 and noted several of these [14]appear in Barracuda's ESG vulnerability documentation as associated with the hack.
Researchers recommend defenders check their telemetry and historic logs against these [15]newly-identified domains , the oldest of which was registered in May 2020, along with a list of low-density IP addresses observed in the DNS A records for all of these Salt Typhoon-related domains, and use these lists as hunting tools to help boot Chinese spies off of critical networks.
[16]
"Silent Push believes all domains associated with Salt Typhoon and UNC4841 present a significant level of risk," the report says. "Proactive measures are crucial in defending against this evolving threat."
The timing of when these were registered also supports earlier indications that Salt Typhoon has been active [17]since at least 2019 , although its telecom hacking activities didn't come to light [18]until last year . ®
Get our [19]Tech Resources
[1] https://www.silentpush.com/blog/salt-typhoon-2025/
[2] https://www.theregister.com/2025/01/06/charter_consolidated_windstream_salt_typhoon/
[3] https://www.theregister.com/2024/12/09/white_house_salt_typhoon/
[4] https://www.theregister.com/2025/08/28/fbi_cyber_cop_salt_typhoon/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.theregister.com/2023/08/25/fbi_china_barracuda/
[7] https://www.theregister.com/2023/08/30/mandiant_barracuda_esg_bug/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/08/28/fbi_cyber_cop_salt_typhoon/
[11] https://www.theregister.com/2023/08/25/fbi_china_barracuda/
[12] https://www.theregister.com/2025/08/28/china_salt_typhoon_alert/
[13] https://www.theregister.com/2025/08/03/silent_push_ceo_talks_cybercrime/
[14] https://trust.barracuda.com/security/information/esg-vulnerability
[15] https://www.silentpush.com/blog/salt-typhoon-2025/#Are-We-Running-Out-of-Salt?
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://www.theregister.com/2025/08/28/china_salt_typhoon_alert/
[18] https://www.theregister.com/2024/11/14/salt_typhoon_hacked_multiple_telecom/
[19] https://whitepapers.theregister.com/
In a Monday [1]report , threat intelligence firm Silent Push said it had found 45 domains, the majority of which were previously unreported, that it has linked to Salt Typhoon or UNC4841, a similar group.
Salt Typhoon is the People's Republic of China spying gang that [2]hacked America's major telecommunications firms and [3]stole metadata and other information belonging to " [4]nearly every American," according to a top FBI cyber official who spoke with The Register about the intrusions.
[5]
UNC4841 is best known for a series of 2023 attacks that targeted [6]CVE-2023-2868 , a critical bug in some Barracuda Email Security Gateways, to deploy custom malware and [7]maintain access to high-value networks , about a third of which belonged to government organizations.
[8]
[9]
The threat researchers note that key domain registration patterns in Salt Typhoon's previously-reported command and control (C2) infrastructure helped them uncover the new domain names, several of which shared the same registrant - "almost certainly fake" personas including "Shawn Francis," "Monica Burch," and "Tommie Arnold," most using ProtonMail email addresses, and all of whom purportedly live in the US and have physical addresses that don't exist.
[10]FBI cyber cop: Salt Typhoon pwned 'nearly every American'
[11]FBI: Who was going around hijacking Barracuda email boxes? China, probably
[12]If you thought China's Salt Typhoon was booted off critical networks, think again
[13]Silent Push CEO on cybercrime takedowns: 'It's an ongoing cat-and-mouse game'
Interestingly, one of the domains appears to be a Hong Kong newspaper: newhkdaily[.]com. "Whether this is an impersonation of a Hong Kong media source with which we are unfamiliar, a Psychological Operation (PSYOP) campaign, or simply a propaganda front is unclear at this time," the researchers said.
Silent Push also identified nine domains linked to UNC4841 and noted several of these [14]appear in Barracuda's ESG vulnerability documentation as associated with the hack.
Researchers recommend defenders check their telemetry and historic logs against these [15]newly-identified domains , the oldest of which was registered in May 2020, along with a list of low-density IP addresses observed in the DNS A records for all of these Salt Typhoon-related domains, and use these lists as hunting tools to help boot Chinese spies off of critical networks.
[16]
"Silent Push believes all domains associated with Salt Typhoon and UNC4841 present a significant level of risk," the report says. "Proactive measures are crucial in defending against this evolving threat."
The timing of when these were registered also supports earlier indications that Salt Typhoon has been active [17]since at least 2019 , although its telecom hacking activities didn't come to light [18]until last year . ®
Get our [19]Tech Resources
[1] https://www.silentpush.com/blog/salt-typhoon-2025/
[2] https://www.theregister.com/2025/01/06/charter_consolidated_windstream_salt_typhoon/
[3] https://www.theregister.com/2024/12/09/white_house_salt_typhoon/
[4] https://www.theregister.com/2025/08/28/fbi_cyber_cop_salt_typhoon/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.theregister.com/2023/08/25/fbi_china_barracuda/
[7] https://www.theregister.com/2023/08/30/mandiant_barracuda_esg_bug/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/08/28/fbi_cyber_cop_salt_typhoon/
[11] https://www.theregister.com/2023/08/25/fbi_china_barracuda/
[12] https://www.theregister.com/2025/08/28/china_salt_typhoon_alert/
[13] https://www.theregister.com/2025/08/03/silent_push_ceo_talks_cybercrime/
[14] https://trust.barracuda.com/security/information/esg-vulnerability
[15] https://www.silentpush.com/blog/salt-typhoon-2025/#Are-We-Running-Out-of-Salt?
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aL9R-02sOwwjdIpMmXYsUQAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://www.theregister.com/2025/08/28/china_salt_typhoon_alert/
[18] https://www.theregister.com/2024/11/14/salt_typhoon_hacked_multiple_telecom/
[19] https://whitepapers.theregister.com/
Re: Can Jessica Lyons write an article about American spying?
Anonymous Coward
Define "spying".
(1) Hacking government databases.
(2) Hacking large business sites. (Examples would be places like Marks & Spenser, Jaguar Land Rover, New York Times, Washington Post, Apple, Google, Meta)
(3) Attacking individuals. (Tools like NSO/Pegasus or Paragon/Graphite come to mind)
....and of course recent DOGE activity almost certainly qualifies. (Notable would be the illegal copying of the IRS databases.)
Yup.....plenty of illegal activity for Jessica to dig into. Of course she might be worried about NSO/Pegasus and Paragon/Graphite!!!!!
Re: Can Jessica Lyons write an article about American spying?
IGotOut
@voiceoftruth
Is it dark under that rock or is it you that's a bit dim?
https://www.theregister.com/2025/08/01/china_us_intel_attacks/
Weird domain names
segfault188
Salt Typhoon used dozens of domains, going back five years. Did you visit one?
Well, I check link destinations before clicking, and I wouldn't visit domains with names like the ones registered, e.g.
gesturefavour[.]com
clubworkmistake[.]com
I can't imagine what people thought they were going to access with domain names like that.
Re: Weird domain names
DS999
The link address doesn't show up unless you hover, so most people will never see what they're clicking on. Stealing personal information is a volume business. They don't care if the 1% of people who might hover over every link before clicking aren't swept up in the web because they'll have the 99% who don't.
Can Jessica Lyons write an article about American spying?
Just wondering. After all, the USA is the world's biggest spy so there is plenty of scope. I would like to see just one article. It might go some way to prove she is not a sock puppet.